Solved: How to extract fields from multiple file source na...

sfatnass · ‎05-20-2016

Hi everybody,

I'm trying to extract fields from multiple source names.
It worked for one filename, but I have a lot of files.

It doesn't work with this example :
source::/path/*

if any body can help me thx

rdagan_splunk · ‎05-26-2016

Have you tried this?
[source::/path*/...]
instead of this?
[source::/path/*]

View solution in original post

rdagan_splunk · ‎05-26-2016

Have you tried this?
[source::/path*/...]
instead of this?
[source::/path/*]

sfatnass · ‎06-02-2016

i resolve it by using field transform thx

for all reply ^^

somesoni2 · ‎05-20-2016

You would need to provide some values, expected result (field names and values that needs to be extracted), and your last attempted search.

sfatnass · ‎05-20-2016

I will use regex To provide some values.
But how can i do if i have multiple source like 100000 file logs.

somesoni2 · ‎05-20-2016

Still not clear to me what you're trying to do here. Do you want to setup a field extraction, in props.conf, for multiple sources? OR you're want to extract a field, from the portion of the source field value?

sfatnass · ‎05-20-2016

I want To setup a field extraction in props.conf for multiple sources.

somesoni2 · ‎05-20-2016

Something like this should work

props.conf on Search Head

[source::/path/*]
EXTRACT-identifier=yourREGEXtoEXTRACTfield

It would be easier to set it up based on sourcetype as it's number should be low. Do these sources report on different sourcetypes?

How to extract fields from multiple file source names?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...