Solved: Monitor only name of the file ignoring the content...

Ashwini008 · ‎08-17-2020

Hi, I want to index only name of the file generated and not the content of the file.

EX: FILE1

I am ABCD.

So i want to monitorand index only FILE1 in splunk and ignore the content "i am ABCD".

can this be done in splunk? If so how?

Thanks!

to4kawa · ‎08-17-2020

props.conf

SEDCMD-trim= s/(?ms).*/./

How about this?

to4kawa · ‎08-17-2020

props.conf

SEDCMD-trim= s/(?ms).*/./

How about this?

Ashwini008 · ‎08-18-2020

I tried the above props.conf but it does not capture anything.It just give blank

I want to capture the filename.any other way to do this?

to4kawa · ‎08-18-2020

your filename is contained in source field?

Ashwini008 · ‎08-18-2020

Yes but with whole file directory

EX :opt/app/splunk/myapps/filename

Should i extract it from there?

to4kawa · ‎08-18-2020

yes, INGEST_eval can make new field.

Ashwini008 · ‎08-18-2020

Thank you props.conf is working as expected.

Could you please let me know if INGEST_eval can be used during search time?

How to extract file name with this splunk command?

Monitor only name of the file ignoring the content of the file