Splunk Search

Extract Field from source's file path

pl123
Path Finder

Hi, I would to know if it is possible to use a part of the source events file path ie "foobar" from

/weblogs/123/https-blah.com/foobar

and extract it as a field or value (ie ws_server) in either a search or via transforms.conf / props.

Thanks

Tags (1)
2 Solutions

tedder
Communicator

For using it in a search, you can test it with this:

rex field=_raw "https-blah.com/(?<path>\S*)"

Might have to adjust it, depending on what other values exist.

After that, use field extractions.

View solution in original post

0 Karma

ziegfried
Influencer

Yes you can extract it to a field. If you want to search for it, you will want to use a indexed field (as opposed to a search time extracted field).

props.conf

[your_sourcetype]
TRANSFORMS-extract-ws-server

transforms.conf

SOURCE_KEY = MetaData:Source
REGEX = /([^/]+)$
FORMAT = ws_server::$1
WRITE_META = true

fields.conf

[ws_server]
INDEXED = true
INDEXED_VALUE = false

Extracting a search-time field would be easier. Just specifing the extraction in props.conf:

[your_sourcetype]
EXTRACt-ws = ^/([^/]+)$ in source

View solution in original post

ziegfried
Influencer

Yes you can extract it to a field. If you want to search for it, you will want to use a indexed field (as opposed to a search time extracted field).

props.conf

[your_sourcetype]
TRANSFORMS-extract-ws-server

transforms.conf

SOURCE_KEY = MetaData:Source
REGEX = /([^/]+)$
FORMAT = ws_server::$1
WRITE_META = true

fields.conf

[ws_server]
INDEXED = true
INDEXED_VALUE = false

Extracting a search-time field would be easier. Just specifing the extraction in props.conf:

[your_sourcetype]
EXTRACt-ws = ^/([^/]+)$ in source

marcoscala
Builder

The Search-time field extraction with EXTRACT key works fine and it's usually recommended by Splunk.

0 Karma

tedder
Communicator

For using it in a search, you can test it with this:

rex field=_raw "https-blah.com/(?<path>\S*)"

Might have to adjust it, depending on what other values exist.

After that, use field extractions.

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...