Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

filed extraction on specific path

indeed_2000
Motivator
‎12-16-2019 07:05 AM

Hi
I want to create "field extract" on all logs that exist in below address.
/opt/logs/file1.log
/opt/logs/file2.log
/opt/logs/file3.log

when I create new "field extract" at first step ask me choose a source type: file1.log or file2.log or file3.log ?
How can extract field on all of them like "/opt/logs/*" ?
Should create index for this path?

Thanks,

0 Karma
Reply

to4kawa
Ultra Champion
‎12-16-2019 11:05 AM

Get started with getting data in

Have a look at this.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-16-2019 08:00 AM

Hi @mehrdad_2000,
let me understand:
you have a list of files that contain logs,
you want to associate to all logs a field called "field extract" that's a part of the source (e.g. the last part of the path),
I don't understand what do you mean when you say "at first step ask me choose a file".

Anyway to extract a field from the source field, it's easy using a regex like this:

index=my_index
| rex field=source "(?<field_extract>\w*\.log)$"
| ...

Ciao.
Giuseppe

0 Karma
Reply

indeed_2000
Motivator
‎12-16-2019 08:17 AM

1-I have several log files with different structure and want extract specific field on all of them.
2-At first step of "field extract" Splunk ask sourcetype.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-16-2019 08:25 AM

Hi @mehrdad_2000,
because usually knowledge objects (as fields) are related to a sourcetype and every log ingestion must have a sourcetype.
What's the sourcetype you associated to the above files?
You can use it.

Ciao.
Giuseppe

0 Karma
Reply

indeed_2000
Motivator
‎12-16-2019 10:56 AM

Custom sourcetype

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-16-2019 11:59 PM

Hi @mehrdad_2000,
as I said use this custom sourcetype, the only important hing is to use one sourcetype otherwise it's difficoult to use the fields.

Ciao.
Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-16-2019 07:58 AM

If all of the logs have the same structure then your field extraction can be done on one of them. When you do that, create a new sourcetype. Use that sourcetype when you index /opt/logs/* and the field extraction will be applied to all of the files in that directory.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

indeed_2000
Motivator
‎12-16-2019 08:15 AM

create new sourcetype as you mention "my_SourceType", but when I hit "field extraction" it has only show "my_SourceType" and it is empty ! there is no event!

while when going to the search it and enter "source = "/opt/logs/*" show all events!

Any recommendation?

Thanks,

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-17-2019 04:59 AM

Did you put the new sourcetype in your inputs.conf? The change will only apply to new data. Anything already indexed will be under the old sourcetype.

sourcetype = mysourcetype
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mayurr98
Super Champion
‎12-16-2019 07:55 AM

May I know how you are trying to extract?

0 Karma
Reply

indeed_2000
Motivator
‎12-16-2019 11:13 AM

Sure,
1-I’m going to the search and enter "source = "/opt/logs/*"
2-click on “field extraction”
https://docs.splunk.com/File:Extract_new_fields.png

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...