find which event belong to which file in compress ...

indeed_2000 · ‎08-14-2021

Hi

I have compress file that contain several files. in source just show compress file. e.g compress files name is log.bz2, it contain log1 log2 log3

currently in source just show log.bz2 , how can I find which event belong to which file?

something like this log.bz2 > log2

Any idea?

thanks

tscroggins · ‎08-15-2021

@indeed_2000

How did you define your monitor input? What kind of archive is log.bz2? Source would typically have a value like /path/to/log.bz2:./log1, /path/to/log.bz2:./log2, /path/to/log.bz2:./log3, etc.

To replace source with the archived source path:

| rex field=source ":(?!\\\\)(?<source>.*)"

To replace source with the archived source file:

| rex field=source ".*[\\\\/](?<source>.*)"

find which event belong to which file in compress file

field extraction

fields

table

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?