Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract Field from source's file path
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I would to know if it is possible to use a part of the source events file path ie "foobar" from
/weblogs/123/https-blah.com/foobar
and extract it as a field or value (ie ws_server) in either a search or via transforms.conf / props.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For using it in a search, you can test it with this:
rex field=_raw "https-blah.com/(?<path>\S*)"
Might have to adjust it, depending on what other values exist.
After that, use field extractions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can extract it to a field. If you want to search for it, you will want to use a indexed field (as opposed to a search time extracted field).
props.conf
[your_sourcetype]
TRANSFORMS-extract-ws-server
transforms.conf
SOURCE_KEY = MetaData:Source
REGEX = /([^/]+)$
FORMAT = ws_server::$1
WRITE_META = true
fields.conf
[ws_server]
INDEXED = true
INDEXED_VALUE = false
Extracting a search-time field would be easier. Just specifing the extraction in props.conf:
[your_sourcetype]
EXTRACt-ws = ^/([^/]+)$ in source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can extract it to a field. If you want to search for it, you will want to use a indexed field (as opposed to a search time extracted field).
props.conf
[your_sourcetype]
TRANSFORMS-extract-ws-server
transforms.conf
SOURCE_KEY = MetaData:Source
REGEX = /([^/]+)$
FORMAT = ws_server::$1
WRITE_META = true
fields.conf
[ws_server]
INDEXED = true
INDEXED_VALUE = false
Extracting a search-time field would be easier. Just specifing the extraction in props.conf:
[your_sourcetype]
EXTRACt-ws = ^/([^/]+)$ in source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Search-time field extraction with EXTRACT key works fine and it's usually recommended by Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For using it in a search, you can test it with this:
rex field=_raw "https-blah.com/(?<path>\S*)"
Might have to adjust it, depending on what other values exist.
After that, use field extractions.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
