Solved: How to extract fields from source?

karthi2809 · ‎10-25-2024

How to extract fields from below source.

/audit/logs/QTEST/qtestw-core_server4-core_server4.log

I need extract QTEST as environment qtestw as hostname core_server4 as component core_server4.log as filename

gcusello · ‎10-25-2024

Hi @karthi2809 ,

you can use this regex:

| rex field=source "^\/\w+\/\w+\/(?<environment>\w+)\/\w+-(?<component>[^-]+)-(?<filename>.*)"

you can test this regex at https://regex101.com/r/0VJvAw/1

Ciao.

Giuseppe

View solution in original post

jawahir007 · ‎10-25-2024

Try this :

<your_search>|rex field=source "\/audit\/logs\/(?<environment>[^\/]*)\/(?<hostname>[^-]*)\-(?<component>[^-]*)\-(?<filename>.*$)"

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

gcusello · ‎10-25-2024

Hi @karthi2809 ,

you can use this regex:

| rex field=source "^\/\w+\/\w+\/(?<environment>\w+)\/\w+-(?<component>[^-]+)-(?<filename>.*)"

you can test this regex at https://regex101.com/r/0VJvAw/1

Ciao.

Giuseppe

How to extract fields from source?

fields

If you find this solution helpful, please consider accepting it and awarding karma points !!

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?