Splunk Search
Highlighted

How do I extract a value from the 'source' field at search-time?

Splunk Employee
Splunk Employee

My log directories are structured like so -

/var/myapplogs/<app-name>/logs/*.log

How can I extract <app-name> as a field name at search time?

Highlighted

Re: How do I extract a value from the 'source' field at search-time?

Splunk Employee
Splunk Employee

In search:

... | rex field=source "^/[^\/]/[^\/]/(?<app_name>[^\/])"

or in props.conf:

[mysourcetype]
EXTRACT-appname = ^/[^\/]/[^\/]/(?<app_name>[^\/]) in source
Highlighted

Re: How do I extract a value from the 'source' field at search-time?

SplunkTrust
SplunkTrust

If you go with the props.conf approach, does this then make it possible to do searches on 'appname=fooapp' ?

0 Karma
Highlighted

Re: How do I extract a value from the 'source' field at search-time?

Splunk Employee
Splunk Employee

No. Fields extracted from non-raw indexed fields won't search correctly unless you also configure the extracted field as INDEXED_VALUE = false in the fields.conf file.

0 Karma