Solved: How to extract fields from source?

karthi2809 · ‎10-25-2024

How to extract fields from below source.

/audit/logs/QTEST/qtestw-core_server4-core_server4.log

I need extract QTEST as environment qtestw as hostname core_server4 as component core_server4.log as filename

gcusello · ‎10-25-2024

Hi @karthi2809 ,

you can use this regex:

| rex field=source "^\/\w+\/\w+\/(?<environment>\w+)\/\w+-(?<component>[^-]+)-(?<filename>.*)"

you can test this regex at https://regex101.com/r/0VJvAw/1

Ciao.

Giuseppe

View solution in original post

jawahir007 · ‎10-25-2024

Try this :

<your_search>|rex field=source "\/audit\/logs\/(?<environment>[^\/]*)\/(?<hostname>[^-]*)\-(?<component>[^-]*)\-(?<filename>.*$)"

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

gcusello · ‎10-25-2024

Hi @karthi2809 ,

you can use this regex:

| rex field=source "^\/\w+\/\w+\/(?<environment>\w+)\/\w+-(?<component>[^-]+)-(?<filename>.*)"

you can test this regex at https://regex101.com/r/0VJvAw/1

Ciao.

Giuseppe

How to extract fields from source?

fields

If you find this solution helpful, please consider accepting it and awarding karma points !!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

Are you a member of the Splunk Community?

How to extract fields from source?

fields

If you find this solution helpful, please consider accepting it and awarding karma points !!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...