Solved: Extract Field from source's file path

pl123 · ‎01-19-2011

Hi, I would to know if it is possible to use a part of the source events file path ie "foobar" from

/weblogs/123/https-blah.com/foobar

and extract it as a field or value (ie ws_server) in either a search or via transforms.conf / props.

Thanks

tedder · ‎01-19-2011

For using it in a search, you can test it with this:

rex field=_raw "https-blah.com/(?<path>\S*)"

Might have to adjust it, depending on what other values exist.

After that, use field extractions.

ziegfried · ‎01-19-2011

Yes you can extract it to a field. If you want to search for it, you will want to use a indexed field (as opposed to a search time extracted field).

props.conf

[your_sourcetype]
TRANSFORMS-extract-ws-server

transforms.conf

SOURCE_KEY = MetaData:Source
REGEX = /([^/]+)$
FORMAT = ws_server::$1
WRITE_META = true

fields.conf

[ws_server]
INDEXED = true
INDEXED_VALUE = false

Extracting a search-time field would be easier. Just specifing the extraction in props.conf:

[your_sourcetype]
EXTRACt-ws = ^/([^/]+)$ in source

marcoscala · ‎09-30-2011

The Search-time field extraction with EXTRACT key works fine and it's usually recommended by Splunk.

Extract Field from source's file path