Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract filename form Source field

deepthi5
Path Finder
‎07-10-2015 01:01 AM

Hi team,

I have got a csv files indexed into splunk with names SOURCE= C:\Netwrokanalysis\germany.csv ,c:\networkanalysis\singapore.csv i want to extract country name form this SOURCE field that is germany,singapore

Thanks ,
Deepthi

Tags (2)
0 Karma
Reply

gyarici
Path Finder
‎07-10-2015 02:48 AM

Also assigning different sourcetype per county csv file is other option and you can handle it better for your future search queries.

In your input.conf file;

[monitor://C:\networkanalysisgermany.csv]
disabled = false
sourcetype = Germany

[monitor://C:\networkanalysissingapore.csv]
disabled = false
sourcetype = Singapore

Create Sourcetypes

Hope it helps

Gokhan

Reply

sc0tt
Builder
‎07-10-2015 02:53 AM

This is probably the best solution.

0 Karma
Reply

joao_amorim
Communicator
‎07-10-2015 02:46 AM

I didn't test it but it should work if the length of the first part of the SOURCE string is always the same.
You can also apply a rex command after applying the split command, but it will do the same than the command proposed by sc0tt

0 Karma
Reply

sc0tt
Builder
‎07-10-2015 02:35 AM

I'm sure there is a more elegant solution, but would something like | eval country = mvindex(split(substr(source,18),"."),0) work?

Edit: This should work as well

rex field=source "c:networkanalysis(?<country>\S+).csv"
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...