How to get dynamic source name from a request?

batham · ‎12-11-2022

Hi Folks ,

I am new to splunk and trying to get dynamic source value from the response, here is my query:

index="itestData" AND source="/opt/ABC/DEF/GHI/KLM/LOG*" AND "error"

Please note that * after LOG is a dynamic value (like LOG-A.log , LOG-B.log, LOG-C.log) and there are at least 70 servers like this, when i get any error i want to know from which log this error is coming (A or B or C and so on) .

Let me know if there is any other way to get this (i do not want to individually put the name of sources as servers go up and down )

Thanks in advance.

bowesmana · ‎12-11-2022

Use rex to extract the server name from the source, i.e.

| rex field=source ".*LOG-(?<server>.*)"

That will give you a new field name called 'server' - note it captures everything in the source field following LOG-

Then you can do whatever you want with that new field.

richgalloway · ‎12-11-2022

When you look at the output of that search you should see 'host=', 'source=', and 'sourcetype=' values under each returned event. Those values are exact, without wildcards. You can can include the source field in the output using the table command.

index="itestData" AND source="/opt/ABC/DEF/GHI/KLM/LOG*" AND "error"
| table source

---
If this reply helps you, Karma would be appreciated.

How to get dynamic source name from a request?

metadata

stats

table

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability