Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: extract from source path not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to follow the directions here to extract a field from the source path of my directory -- but i cant seem to get it working.
At the end of the post it says to add
EXTRACT-ws_component = ^/([^/]+)$ in source
to my props.conf file. since this is a windows machine, I changed the backslash (/) to escaped forward slash (\\) and I end up with this
EXTRACT-ws_component = ^\\([^\\]+)$ in source'
Then when I go into search, my new field does not show up.
In the end I want to extract a field from pathname of the files A sample of the pathanmes is like so:
D:\extract\stressTest\hkln288p\WLS_ATH1\logs\out.log
D:\extract\stressTest\hkln288p\WLS_CMB_NA1\logs\out.log
D:\extract\stressTest\hkln289p\WLS_ATH2\logs\out.log
D:\extract\stressTest\hkln289p\WLS_ATH\logs\out.log
D:\extract\stressTest\hkln289p\WLS_CMB_BAC2\logs\out.log
where the field I want to extract is the WLS_* section: WLS_ATH1, WLS_ATH2... etc
how do I accomplish this?
lastly -- please excuse any oversights here, ive only been using splunk for a few days.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could try the following in props.conf for the sourcetype in question.
[your_sourcetype]
EXTRACT-wls = \\WLS_(?<ZZZ>[A-Z0-9_]+)
should give you a new field called ZZZ which would contain the various WLS_* (but not the leading WLS_ part, i.e ATH, ATH2, CMB_BAC2 etc)
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your initial regex featured a caret (^) in the initial position meaning "start at the beginning of the string" in regex-ese. Since the paths begin with D:\, your regex wasn't going to match. Glad to see you've got it working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could try the following in props.conf for the sourcetype in question.
[your_sourcetype]
EXTRACT-wls = \\WLS_(?<ZZZ>[A-Z0-9_]+)
should give you a new field called ZZZ which would contain the various WLS_* (but not the leading WLS_ part, i.e ATH, ATH2, CMB_BAC2 etc)
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks - that was enough to get it working. note the line MUST read EXTRACT-wls = \\WLS_(?<ZZZ>[A-Z0-9_]+) in source in order to work properly
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
