Solved: How to extract fields from source?

karthi2809 · ‎10-25-2024

How to extract fields from below source.

/audit/logs/QTEST/qtestw-core_server4-core_server4.log

I need extract QTEST as environment qtestw as hostname core_server4 as component core_server4.log as filename

gcusello · ‎10-25-2024

Hi @karthi2809 ,

you can use this regex:

| rex field=source "^\/\w+\/\w+\/(?<environment>\w+)\/\w+-(?<component>[^-]+)-(?<filename>.*)"

you can test this regex at https://regex101.com/r/0VJvAw/1

Ciao.

Giuseppe

View solution in original post

Jawahir · ‎10-25-2024

Try this :

<your_search>|rex field=source "\/audit\/logs\/(?<environment>[^\/]*)\/(?<hostname>[^-]*)\-(?<component>[^-]*)\-(?<filename>.*$)"

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

gcusello · ‎10-25-2024

Hi @karthi2809 ,

you can use this regex:

| rex field=source "^\/\w+\/\w+\/(?<environment>\w+)\/\w+-(?<component>[^-]+)-(?<filename>.*)"

you can test this regex at https://regex101.com/r/0VJvAw/1

Ciao.

Giuseppe

How to extract fields from source?

fields

If you find this solution helpful, please consider accepting it and awarding karma points !!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to extract fields from source?

fields

If you find this solution helpful, please consider accepting it and awarding karma points !!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...