- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: extract a name from file location
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
How do I extract word "Dev" from below file location
source=/test1/folder1/scripts/monitor/log/env/dev/Error.log
and add some if condition statements like if word=dev,change it to development
word=test,change it to loadtest in splunk query.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are making lots of apparently conflicting statements. It is important to illustrate/supplement your problem with sample/mock data and desired results, as well as a plain language statement of the logic between illustrated data and desired results. Can you confirm that you are looking for results like
| dev | env | source |
| dev11 | env11 | /test1/folder1/scripts/monitor/log/env11/dev11/Error.log |
| dev21 | env21 | /test2/folder1/scripts/monitor/log/env21/dev21/Error.log |
In other words, you want the second-to-last segment of the path to be in a field (named dev) and the 3rd-to-last segment to be in another field (named env).
If my mind-reading is correct, you can use the following
| eval mvsource = split(source, "/")
| eval env = mvindex(mvsource, -3), dev = mvindex(mvsource, -2)
This is the emulation I use to produce the sample data
| makeresults format=csv data="source
/test1/folder1/scripts/monitor/log/env11/dev11/Error.log
/test2/folder1/scripts/monitor/log/env21/dev21/Error.log"
``` data emulation above ```
Play with it and compare with real data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are making lots of apparently conflicting statements. It is important to illustrate/supplement your problem with sample/mock data and desired results, as well as a plain language statement of the logic between illustrated data and desired results. Can you confirm that you are looking for results like
| dev | env | source |
| dev11 | env11 | /test1/folder1/scripts/monitor/log/env11/dev11/Error.log |
| dev21 | env21 | /test2/folder1/scripts/monitor/log/env21/dev21/Error.log |
In other words, you want the second-to-last segment of the path to be in a field (named dev) and the 3rd-to-last segment to be in another field (named env).
If my mind-reading is correct, you can use the following
| eval mvsource = split(source, "/")
| eval env = mvindex(mvsource, -3), dev = mvindex(mvsource, -2)
This is the emulation I use to produce the sample data
| makeresults format=csv data="source
/test1/folder1/scripts/monitor/log/env11/dev11/Error.log
/test2/folder1/scripts/monitor/log/env21/dev21/Error.log"
``` data emulation above ```
Play with it and compare with real data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's an example you can run in the search window - you are interested in the last two lines : rex statement and the final eval statement.
| makeresults
| fields - _time
| eval source=split("/test1/folder1/scripts/monitor/log/env/dev/Error.log,/test1/folder1/scripts/monitor/log/env/test/Error.log", ",")
| mvexpand source
| rex field=source ".*\/(?<env>\w+)\/.*"
| eval environment=case(env="dev","development",env="test","loadtest",true(), "unknown:".env)There are several ways you can assign the name to the environment - if you have lots of environments you can do this from a lookup or just use the case statement.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response
But my file location is
/test1/folder1/.scripts/monitor/log/env/dev/Error.log
So interested to get both values of
env and dev
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not clear what you are saying - your original post says want the word "dev", but you also want the word "env" also?
Is "env" something that can change?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes
/test1/folder1/.scripts/monitor/log/env/dev/Error.log
I want
field 1=value of env
field 2=value of dev
as there is scope of this changing later.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also
/test1/folder1/scripts/monitor/log/env/dev/Error.log is dynamic source field value and not hardcoded value /test1/folder1/scripts/monitor/log/env/dev/Error.log so I need to integrate index command with makeresults something like this
index="monitoring"
source="/test1/folder1/.scripts/monitor/log/env/dev/Error.log"
extract values of env and dev...that can be dynamic to separate fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When someone provides you an example using the makeresults command, it is an example you can run to DEMONSTRATE the solution - in my posting I showed the example and said you need the last two lines.
The rex statement extracts fields from data. This will extract "env" and "dev" into fields a and b. Call them what you like
| rex field=source ".*\/(?<a>\w+)\/(?<b>\w+)\/.*"
Index This | What are the 12 Days of Splunk-mas?
Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off
What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience
