Splunk Search

SPL: extract logfile name from source field

danielsofoulis
Path Finder

Hi, I am trying to setup a dropdown bar for a dashboard and would like to setup dynamic inputs based on the source log file, as there are many different sites being built and torn down.

example source log name:

D:\Apache\logs\example.com.au_accessLog_2017-04-20-00_00_00.log  

I would like to extract "example.com.au" from the above source log file and drop everything else. Then make it a distinct value. This value would then be selectable in the dropdown bar to filter on that site.

This is what I've attempted but is not returning what I need.

index=example sourcetype=test:access | eval baseurl = mvindex(split(source,"/", -1) | top baseurl

Thanks in advance.

0 Karma
1 Solution

danielsofoulis
Path Finder

I've managed to get it working using
rex field=source "\w+\(?P[\w+]+)_accessLog\S+$"| top 20 site

View solution in original post

0 Karma

danielsofoulis
Path Finder

I've managed to get it working using
rex field=source "\w+\(?P[\w+]+)_accessLog\S+$"| top 20 site

0 Karma

jkat54
SplunkTrust
SplunkTrust
...| rex field=source "logs\\(?<fqdn>\S+)_accessLog" | top fqdn
0 Karma

danielsofoulis
Path Finder

Hi thanks for you help, but I'm also getting an error when I run your rex:
Error in 'rex' command: Encountered the following error while compiling the regex 'logs(

0 Karma

jkat54
SplunkTrust
SplunkTrust

Sorry I had my question mark in the wrong place.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

The following should work for you to extract the part you want from the source field:

index=example sourcetype=test:access | rex field=source "\\(?P<file>[^_\\]+)_[^\\]$"
0 Karma

danielsofoulis
Path Finder

Thank you for answering. I ran the search with the rex you provided and got the following error:
Error in 'rex' command: Encountered the following error while compiling the regex '(?P[^]+)[^]$': Regex: missing terminating ] for character class

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...