Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

extract from source path not working

kittle
New Member
‎08-07-2012 02:38 PM

I tried to follow the directions here to extract a field from the source path of my directory -- but i cant seem to get it working.

At the end of the post it says to add

EXTRACT-ws_component = ^/([^/]+)$ in source

to my props.conf file. since this is a windows machine, I changed the backslash (/) to escaped forward slash (\\) and I end up with this

EXTRACT-ws_component = ^\\([^\\]+)$ in source'

Then when I go into search, my new field does not show up.

In the end I want to extract a field from pathname of the files A sample of the pathanmes is like so: 

D:\extract\stressTest\hkln288p\WLS_ATH1\logs\out.log  
D:\extract\stressTest\hkln288p\WLS_CMB_NA1\logs\out.log  
D:\extract\stressTest\hkln289p\WLS_ATH2\logs\out.log  
D:\extract\stressTest\hkln289p\WLS_ATH\logs\out.log  
D:\extract\stressTest\hkln289p\WLS_CMB_BAC2\logs\out.log

where the field I want to extract is the WLS_* section: WLS_ATH1, WLS_ATH2... etc

how do I accomplish this?

lastly -- please excuse any oversights here, ive only been using splunk for a few days.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-07-2012 03:33 PM

You could try the following in props.conf for the sourcetype in question.

[your_sourcetype]
EXTRACT-wls = \\WLS_(?<ZZZ>[A-Z0-9_]+)

should give you a new field called ZZZ which would contain the various WLS_* (but not the leading WLS_ part, i.e ATH, ATH2, CMB_BAC2 etc)

Hope this helps,

K

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎08-07-2012 06:02 PM

Your initial regex featured a caret (^) in the initial position meaning "start at the beginning of the string" in regex-ese. Since the paths begin with D:\, your regex wasn't going to match. Glad to see you've got it working.

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-07-2012 03:33 PM

You could try the following in props.conf for the sourcetype in question.

[your_sourcetype]
EXTRACT-wls = \\WLS_(?<ZZZ>[A-Z0-9_]+)

should give you a new field called ZZZ which would contain the various WLS_* (but not the leading WLS_ part, i.e ATH, ATH2, CMB_BAC2 etc)

Hope this helps,

K

0 Karma
Reply
Solved! Jump to solution

kittle
New Member
‎08-07-2012 04:44 PM

Thanks - that was enough to get it working. note the line MUST read EXTRACT-wls = \\WLS_(?<ZZZ>[A-Z0-9_]+) in source in order to work properly

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...