Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using multiple parameters for regexp host extracti...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
patrickprodoehl
Explorer
03-19-2020
11:59 AM
Dear community,
I am lost in creating a regexp that will ease up my data input creation.
So I do have a file share being monitored by splunk with the following structure:
/data/reports/ApplicationA/LocationA/very_interesting.log
/data/reports/ApplicationA/LocationB/very_interesting.log
/data/reports/ApplicationB/LocationB/very_interesting.log
To scale at ease, I would like to define a single data input for ApplicationA which extracts the host using 2 parameters of the path. i.e.
ApplicationA_LocationA
ApplicationA_LocationB
Do you have any idea, how I could transform the / between ApplicationA and the location subfolders to a _ and after do the pattern matching to extract the host?
Thanks in advance!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-19-2020
12:50 PM
You need to use transforms.conf. Set <spec> to your sourcetype name or source (source::/data/reports/*/*/*.log).
props.conf
[<spec>]
TRANSFORMS-colorchange
transforms.conf
[set_host]
SOURCE_KEY = MetaData:Source
REGEX = (\w+)\/(\w+)\/\w+\.log$
FORMAT = host::$1_$2
DEST_KEY = MetaData:Host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-19-2020
12:50 PM
You need to use transforms.conf. Set <spec> to your sourcetype name or source (source::/data/reports/*/*/*.log).
props.conf
[<spec>]
TRANSFORMS-colorchange
transforms.conf
[set_host]
SOURCE_KEY = MetaData:Source
REGEX = (\w+)\/(\w+)\/\w+\.log$
FORMAT = host::$1_$2
DEST_KEY = MetaData:Host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
patrickprodoehl
Explorer
03-22-2020
03:50 AM
awesome! works for me with two adaptions:
props.conf
[source::/data/reports/*/*/*.log]
TRANSFORMS-hostExtract = hostExtract
transforms.conf
[hostExtract]
SOURCE_KEY = MetaData:Source
REGEX = (\w+)\/(\w+)\/\w+.log$
FORMAT = host::$1_$2
DEST_KEY = MetaData:Host
Get Updates on the Splunk Community!
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
4 Ways the Splunk Community Helps You Prepare for .conf25
.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...
