Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is my extracted field not showing up in search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have several log files as source of Splunk events.
C:\logs\Srv1\file1_2019-05-06.log
C:\logs\Srv84\file3_2019-05-06.log
C:\logs\Glob9\file18_2019-05-06.log
I am trying to extract the immediate parent directory name from the source field of events. So in a custom extracted field "appname", I am hoping to get values Srv1, Srv84 and Glob9 from examples above.
Here's what I am doing.
Splunk Web > Settings > Fields > Fields Extractions > Add new
Destination app: search
Name: source_app_name
Apply to: source named: app_name
Type: Inline
Extraction/Transform: ^.+\x5C(?<appname>(.+))\x5C[^\x5C]*$
Sharing: Global, All apps, Read permission to everyone.
When I run my search ...| extract reload=t I can't find appname field in All fields. All fields is selected in the Select field list.
Am I doing anything wrong with my field extraction, or with my search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @arpitporpay
The best way to do this is:
Go to Splunk Web > Settings > Fields > Fields Extractions > Add new
then add the below attributes:
app_name: <your app name>
name: source_app_name
sourcetype : < as per your requirement> --- the above mentioned source is incorrect as it is asking for which source it need to apply so it is better to use sourcetype.
Type: uses trasform
extraction: appname
Go to Splunk Web > Settings > Fields > Field transformations > Add new
destination_app: <your app name>
name : appname
type: regex-based
regular expression: ^.+\x5C(?<appname>(.+))\x5C[^\x5C]*$
source_key : source
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @arpitporpay
The best way to do this is:
Go to Splunk Web > Settings > Fields > Fields Extractions > Add new
then add the below attributes:
app_name: <your app name>
name: source_app_name
sourcetype : < as per your requirement> --- the above mentioned source is incorrect as it is asking for which source it need to apply so it is better to use sourcetype.
Type: uses trasform
extraction: appname
Go to Splunk Web > Settings > Fields > Field transformations > Add new
destination_app: <your app name>
name : appname
type: regex-based
regular expression: ^.+\x5C(?<appname>(.+))\x5C[^\x5C]*$
source_key : source
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Otherwise:
props.conf
[your_sourcetype]
REPORT-appname1= appname
transforms.conf
[appname]
REGEX= ^.+\x5C(?(.+))\x5C[^\x5C]*$
SOURCE_KEY = source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@arpitpropay : Could you please accept the answer to close the conversation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @vishaltaneja07011993 your solution (using field transformation in field extraction) worked for me.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
