Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SPL: extract logfile name from source field

danielsofoulis
Path Finder
‎04-20-2017 04:50 PM

Hi, I am trying to setup a dropdown bar for a dashboard and would like to setup dynamic inputs based on the source log file, as there are many different sites being built and torn down.

example source log name:

D:\Apache\logs\example.com.au_accessLog_2017-04-20-00_00_00.log

I would like to extract "example.com.au" from the above source log file and drop everything else. Then make it a distinct value. This value would then be selectable in the dropdown bar to filter on that site.

This is what I've attempted but is not returning what I need.

index=example sourcetype=test:access | eval baseurl = mvindex(split(source,"/", -1) | top baseurl

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

danielsofoulis
Path Finder
‎04-20-2017 05:57 PM

I've managed to get it working using
rex field=source "\w+\(?P[\w+]+)_accessLog\S+$"| top 20 site

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

danielsofoulis
Path Finder
‎04-20-2017 05:57 PM

I've managed to get it working using
rex field=source "\w+\(?P[\w+]+)_accessLog\S+$"| top 20 site

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎04-20-2017 05:19 PM 
...| rex field=source "logs\\(?<fqdn>\S+)_accessLog" | top fqdn
0 Karma
Reply
Solved! Jump to solution

danielsofoulis
Path Finder
‎04-20-2017 05:40 PM

Hi thanks for you help, but I'm also getting an error when I run your rex:
Error in 'rex' command: Encountered the following error while compiling the regex 'logs(

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎04-21-2017 05:51 AM

Sorry I had my question mark in the wrong place.

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎04-20-2017 05:13 PM

The following should work for you to extract the part you want from the source field:

index=example sourcetype=test:access | rex field=source "\\(?P<file>[^_\\]+)_[^\\]$"
0 Karma
Reply
Solved! Jump to solution

danielsofoulis
Path Finder
‎04-20-2017 05:39 PM

Thank you for answering. I ran the search with the rex you provided and got the following error:
Error in 'rex' command: Encountered the following error while compiling the regex '(?P[^]+)[^]$': Regex: missing terminating ] for character class

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...