Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Adding source path to table output

tom1981
Engager
‎04-16-2020 08:18 AM

I have the following search set up:

search string
| fields host raw
| fields - _time _indextime _sourcetype _subsecond _serial _bkt _cd _si _kv _timediff | head 1
| join append [ stats count | fields - count ]
| eval SourcePath=WHAT TO PUT HERE?
| eval ConfigItem="Config Item"
| eval PAGER="Pager"
| eval TEAM="Team"

| eval GROUP="Group"
| eval SHORTDESCRIPTION="Short Description"
| table host _raw SourcePath Config.Item PAGER TEAM GROUP SHORTDESCRIPTION
| rex mode=sed "s/\,//g"
| rex mode=sed "s/[^a-zA-Z0-9-.]+/ /g"
| outputcsv file.csv

Everything is working as required, I am just not too sure what should I match eval SourcePath= with in order to obtain the string of the source log file's path?
Anyone able to assist?

Thanks a bunch!
Tom

0 Karma
Reply

tom1981
Engager
‎04-18-2020 09:49 AM

Events:

Before formatting;
alt text

After formating:
alt text

Preview file
29 KB
Preview file
147 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-16-2020 09:49 AM

It's difficult to answer without knowing your data. Please share some sample (sanitized) events.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

tom1981
Engager
‎04-18-2020 09:49 AM

Hello,

Sorry for the delay.
Please see in the answer section for the event examples (cannot add pictures here)

Thanks a lot!

0 Karma
Reply

tom1981
Engager
‎04-27-2020 10:40 AM

Bump to top.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...