I am bit new for splunk, and facing a problem to create a field using regular expression. This field values should be populated by reading splunk directory structure.
for example , I have below folders in my splunk directory structure.
My need is to create a field say "MyFields" which will be populated automatically with directory names under \Splunk\etc\apps\appName\logs\ . In this case myField1, myField2, myField3, myField4.
I have a regular expression which can fetch directory names under path \Splunk\etc\apps\appName\logs.
But I am struggling to add such field in splunk application.
Any help will be appreciated.
but as many answers state, index-time field extraction is not the best to do:
In general, we recommend search-time extractions rather than index-time extractions. There are relatively few cases where index-time extractions are better, and they come at the cost of brittleness of configuration and an increase in index size (which in turn makes searches slower).