Field Extraction

aknsun · ‎02-04-2020

Need some suggestion for field extraction.

Take this as an example:
I have a file path /opt/splunk/var/log/splunk/splunkd.log

There is already a field extraction done for this called file_name.

I would like to do a filed extraction with just the Directory path ( /opt/splunk/var/log/splunk/) and name dir_name.

The problem arises when I try to do a new extraction, as the path is sort of already used by file_name and splunk mentions that I need "To highlight text that is already part of an existing extraction, first turn off the existing extractions"

My doubt here is. If I turn of the existing extraction and then create one for dir_name, would I still be able to use file_name or does that get over-ridden by the new extraction?

Thanks,
AKN

to4kawa · ‎02-05-2020

| makeresults 
| eval file_name="/opt/splunk/var/log/splunk/splunkd.log" 
| rex field=file_name "(?<dir_name>\/.*\/)"

Hi, how about this?

vnravikumar · ‎02-04-2020

Hi

Check this

| makeresults 
| eval path="/opt/splunk/var/log/splunk/splunkd.log" 
| rex field=path "(^(?P<dir_name>.+)\/)([^\/]+)$"

or

| makeresults 
| eval path="/opt/splunk/var/log/splunk/splunkd.log" 
| eval dir_name=replace(path,"(\/[^\/]+)$","")

Field Extraction

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest