Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract Field from source's file path
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pl123
Path Finder
01-19-2011
05:57 AM
Hi, I would to know if it is possible to use a part of the source events file path ie "foobar" from
/weblogs/123/https-blah.com/foobar
and extract it as a field or value (ie ws_server) in either a search or via transforms.conf / props.
Thanks
2 Solutions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tedder
Communicator
01-19-2011
06:27 AM
For using it in a search, you can test it with this:
rex field=_raw "https-blah.com/(?<path>\S*)"
Might have to adjust it, depending on what other values exist.
After that, use field extractions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ziegfried
Influencer
01-19-2011
07:04 AM
Yes you can extract it to a field. If you want to search for it, you will want to use a indexed field (as opposed to a search time extracted field).
props.conf
[your_sourcetype]
TRANSFORMS-extract-ws-server
transforms.conf
SOURCE_KEY = MetaData:Source
REGEX = /([^/]+)$
FORMAT = ws_server::$1
WRITE_META = true
fields.conf
[ws_server]
INDEXED = true
INDEXED_VALUE = false
Extracting a search-time field would be easier. Just specifing the extraction in props.conf:
[your_sourcetype]
EXTRACt-ws = ^/([^/]+)$ in source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ziegfried
Influencer
01-19-2011
07:04 AM
Yes you can extract it to a field. If you want to search for it, you will want to use a indexed field (as opposed to a search time extracted field).
props.conf
[your_sourcetype]
TRANSFORMS-extract-ws-server
transforms.conf
SOURCE_KEY = MetaData:Source
REGEX = /([^/]+)$
FORMAT = ws_server::$1
WRITE_META = true
fields.conf
[ws_server]
INDEXED = true
INDEXED_VALUE = false
Extracting a search-time field would be easier. Just specifing the extraction in props.conf:
[your_sourcetype]
EXTRACt-ws = ^/([^/]+)$ in source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marcoscala
Builder
09-30-2011
07:04 AM
The Search-time field extraction with EXTRACT key works fine and it's usually recommended by Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tedder
Communicator
01-19-2011
06:27 AM
For using it in a search, you can test it with this:
rex field=_raw "https-blah.com/(?<path>\S*)"
Might have to adjust it, depending on what other values exist.
After that, use field extractions.
Get Updates on the Splunk Community!
AppDynamics Summer Webinars
This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
SOCin’ it to you at Splunk University
Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...
Credit Card Data Protection & PCI Compliance with Splunk Edge Processor
Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
