Splunk Search

regex / source stanza issue, trying to tie a regex to match start-of-line

flo_cognosec
Communicator

This props.conf stanza give me headaches.

[source::/(testing2|bin|sbin|etc|lib|usr)/...]

This does indeed work and match /testing2/some_file and that's great.
But it also seems to match /some_dir/testing2/some_other_file where I do not want it to be applied.

In regex normally it is possible to tie an expressions to the beginning of a line but it seems that I cannot get this to work in splunk.

This actually does not work btw:
[source::^(/(testing2|bin|sbin|etc|lib|usr)/...)]

Any ideas ??

Tags (3)
0 Karma

flo_cognosec
Communicator

Hi

Unfortunately neither work.

I try to set the source-type based on the directory the file comes from while using a fschange stanza.
Setting the sourcetype in inputs.conf does not work as intended but overwrites the sourcetype set by the fschange module (that I need to keep), so setting it in props.conf works fine for me.
Besides that I need to treat the files from the listed directories in a special way and ONLY those from those directories.
A lot of other files / directories and the like from the same host are fed into splunk but I need not to interfere with their processing.

BUT as I wrote above it also applies the rules to a directory like
/somedir_/testing2/some_file
which it should not do actually so I would like to have the regex stick to the beginning of the source (which is the directory and filename ...)

Any ideas ?

0 Karma

milestulett
Path Finder

Perhaps the following?

[source::[^/(testing2|bin|sbin|etc|lib|usr)/...]]

I think the better question to ask is what you're trying to achieve? Are you trying to set the source based on the directory? It should do that automatically. If you're just after the root directory as the source, perhaps following this guide might help: http://docs.splunk.com/Documentation/Splunk/4.3/Data/Overridedefaulthostassignments

Just swap 'host' for 'source' and flavour to taste. Hope it works out. Otherwise, perhaps a custom field, such as 'root' might be an easier method of achieving what you want instead of trying to customise the source field (it might not be possible to change source field dynamically).

-

*Edit: It might also be possible to use \A instead of ^, as per http://www.regextester.com/pregsyntax.html

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...