Splunk Search

Nedd regex help to use part of a filepath as source type

brent_weaver
Builder

I have a source of /var/log/opscode/desired_sourcetype/current. I need to get the part of the filename that is called "desired_courcetype" via regex. I am almost there, the rewriting is working great. Here is my config:

Props:

[chef:server]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRANSFORMS-update_metadata = autosource

Transforms:

[autosource]
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Source
REGEX = \w+
FORMAT = sourcetype::chef:server:$4

Clearly I am not well versed in regex. So woud would the regex be to capture the 3rd element of the filepath delimited by the /.

Any help is MUCH appreciated!

Tags (1)
0 Karma

woodcock
Esteemed Legend

Like this:

[autosource]
SOURCE_KEY = MetaData:Source
REGEX = ^source::(?:/[^/]+){3}/([^/]+)/
FORMAT = sourcetype::chef:server:$1
DEST_KEY = MetaData:Sourcetype
0 Karma

woodcock
Esteemed Legend

Deploy to Indexers (or HFs) and restart splunk instances and verify on NEW events (old events will stay broken).

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi brent_weaver,
do you want to extract this field at search time or at index time?
at search time you could use a regex like this

\/var\/log\/opscode\/(?<desired_courcetype>[^\/]*)

test it at https://regex101.com/r/8YMnMh/1
Bye.
Giuseppe

brent_weaver
Builder

Also inportant to note that "desired_sourcetype" is variable, that is not a static string.

0 Karma

brent_weaver
Builder

Guiseppe - I would want it at index time. This config is sitting on a heavy weight forwarder. So if I used that config what would my FORMAT field look like in transforms?

0 Karma

somesoni2
Revered Legend

YOu can just use the same REGEX (minus the name capture), i.e. just \/var\/log\/opscode\/([^\/]*) as REGEX in your transforms.conf.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...