Splunk Search

How to get dynamic source name from a request?

batham
Explorer

Hi Folks ,

I am new to splunk and trying to get dynamic source value from the response, here is my query:  

index="itestData" AND source="/opt/ABC/DEF/GHI/KLM/LOG*" AND "error"

Please note that * after LOG is a dynamic value (like LOG-A.log , LOG-B.log, LOG-C.log) and there are at least 70 servers like this, when i get any error i want to know from which log this error is coming (A or B or C and so on) .

Let me know if there is any other way to get this (i do not want to individually put the name of sources as servers go up and down )

Thanks in advance.

Labels (3)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Use rex to extract the server name from the source, i.e.

| rex field=source ".*LOG-(?<server>.*)"

That will give you a new field name called 'server' - note it captures everything in the source field following LOG-

Then you can do whatever you want with that new field.

richgalloway
SplunkTrust
SplunkTrust

When you look at the output of that search you should see 'host=', 'source=', and 'sourcetype=' values under each returned event.  Those values are exact, without wildcards.  You can can include the source field in the output using the table command.

index="itestData" AND source="/opt/ABC/DEF/GHI/KLM/LOG*" AND "error"
| table source
---
If this reply helps you, Karma would be appreciated.
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...

Inside Event Intelligence: How ITSI Turns Network Alerts into Actionable Incidents

Tech Talk Inside Event Intelligence: How ITSI Turns Network Alerts into Actionable Incidents   Correlating ...

Observability Simplified: Combining User Experience, Application Performance & ...

  Tech Talk Network to App: Observability Unlocked   Today’s digital environments span applications, ...