Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

find which event belong to which file in compress file

indeed_2000
Motivator
‎08-14-2021 11:12 PM

Hi

I have compress file that contain several files. in source just show compress file. e.g compress files name is log.bz2,  it contain log1 log2 log3

 

currently in source just show log.bz2 , how can I find which event belong to which file?

something like this  log.bz2 > log2

Any idea?

thanks

Labels (3)
Labels
0 Karma
Reply

tscroggins
Influencer
‎08-15-2021 04:37 PM

@indeed_2000 

How did you define your monitor input? What kind of archive is log.bz2? Source would typically have a value like /path/to/log.bz2:./log1, /path/to/log.bz2:./log2, /path/to/log.bz2:./log3, etc.

To replace source with the archived source path:

| rex field=source ":(?!\\\\)(?<source>.*)"

To replace source with the archived source file:

| rex field=source ".*[\\\\/](?<source>.*)"

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...