- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- regex / source stanza issue, trying to tie a regex...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
regex / source stanza issue, trying to tie a regex to match start-of-line
This props.conf stanza give me headaches.
[source::/(testing2|bin|sbin|etc|lib|usr)/...]
This does indeed work and match /testing2/some_file and that's great.
But it also seems to match /some_dir/testing2/some_other_file where I do not want it to be applied.
In regex normally it is possible to tie an expressions to the beginning of a line but it seems that I cannot get this to work in splunk.
This actually does not work btw:
[source::^(/(testing2|bin|sbin|etc|lib|usr)/...)]
Any ideas ??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Unfortunately neither work.
I try to set the source-type based on the directory the file comes from while using a fschange stanza.
Setting the sourcetype in inputs.conf does not work as intended but overwrites the sourcetype set by the fschange module (that I need to keep), so setting it in props.conf works fine for me.
Besides that I need to treat the files from the listed directories in a special way and ONLY those from those directories.
A lot of other files / directories and the like from the same host are fed into splunk but I need not to interfere with their processing.
BUT as I wrote above it also applies the rules to a directory like
/somedir_/testing2/some_file
which it should not do actually so I would like to have the regex stick to the beginning of the source (which is the directory and filename ...)
Any ideas ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps the following?
[source::[^/(testing2|bin|sbin|etc|lib|usr)/...]]
I think the better question to ask is what you're trying to achieve? Are you trying to set the source based on the directory? It should do that automatically. If you're just after the root directory as the source, perhaps following this guide might help: http://docs.splunk.com/Documentation/Splunk/4.3/Data/Overridedefaulthostassignments
Just swap 'host' for 'source' and flavour to taste. Hope it works out. Otherwise, perhaps a custom field, such as 'root' might be an easier method of achieving what you want instead of trying to customise the source field (it might not be possible to change source field dynamically).
-
*Edit: It might also be possible to use \A instead of ^, as per http://www.regextester.com/pregsyntax.html
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
