Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using multiple parameters for regexp host extraction

patrickprodoehl
Explorer
‎03-19-2020 11:59 AM

Dear community,

I am lost in creating a regexp that will ease up my data input creation.

So I do have a file share being monitored by splunk with the following structure:

/data/reports/ApplicationA/LocationA/very_interesting.log
/data/reports/ApplicationA/LocationB/very_interesting.log
/data/reports/ApplicationB/LocationB/very_interesting.log

To scale at ease, I would like to define a single data input for ApplicationA which extracts the host using 2 parameters of the path. i.e.

ApplicationA_LocationA
ApplicationA_LocationB

Do you have any idea, how I could transform the / between ApplicationA and the location subfolders to a _ and after do the pattern matching to extract the host?

Thanks in advance!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-19-2020 12:50 PM

You need to use transforms.conf. Set <spec> to your sourcetype name or source (source::/data/reports/*/*/*.log).

props.conf

[<spec>]
TRANSFORMS-colorchange

transforms.conf

[set_host]
SOURCE_KEY = MetaData:Source
REGEX = (\w+)\/(\w+)\/\w+\.log$
FORMAT = host::$1_$2
DEST_KEY = MetaData:Host

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-19-2020 12:50 PM

You need to use transforms.conf. Set <spec> to your sourcetype name or source (source::/data/reports/*/*/*.log).

props.conf

[<spec>]
TRANSFORMS-colorchange

transforms.conf

[set_host]
SOURCE_KEY = MetaData:Source
REGEX = (\w+)\/(\w+)\/\w+\.log$
FORMAT = host::$1_$2
DEST_KEY = MetaData:Host
Reply
Solved! Jump to solution

patrickprodoehl
Explorer
‎03-22-2020 03:50 AM

awesome! works for me with two adaptions:

props.conf

[source::/data/reports/*/*/*.log]
TRANSFORMS-hostExtract = hostExtract

transforms.conf
[hostExtract]
SOURCE_KEY = MetaData:Source
REGEX = (\w+)\/(\w+)\/\w+.log$
FORMAT = host::$1_$2
DEST_KEY = MetaData:Host

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...