- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract Field from source's file path
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I would to know if it is possible to use a part of the source events file path ie "foobar" from
/weblogs/123/https-blah.com/foobar
and extract it as a field or value (ie ws_server) in either a search or via transforms.conf / props.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For using it in a search, you can test it with this:
rex field=_raw "https-blah.com/(?<path>\S*)"
Might have to adjust it, depending on what other values exist.
After that, use field extractions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can extract it to a field. If you want to search for it, you will want to use a indexed field (as opposed to a search time extracted field).
props.conf
[your_sourcetype]
TRANSFORMS-extract-ws-server
transforms.conf
SOURCE_KEY = MetaData:Source
REGEX = /([^/]+)$
FORMAT = ws_server::$1
WRITE_META = true
fields.conf
[ws_server]
INDEXED = true
INDEXED_VALUE = false
Extracting a search-time field would be easier. Just specifing the extraction in props.conf:
[your_sourcetype]
EXTRACt-ws = ^/([^/]+)$ in source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can extract it to a field. If you want to search for it, you will want to use a indexed field (as opposed to a search time extracted field).
props.conf
[your_sourcetype]
TRANSFORMS-extract-ws-server
transforms.conf
SOURCE_KEY = MetaData:Source
REGEX = /([^/]+)$
FORMAT = ws_server::$1
WRITE_META = true
fields.conf
[ws_server]
INDEXED = true
INDEXED_VALUE = false
Extracting a search-time field would be easier. Just specifing the extraction in props.conf:
[your_sourcetype]
EXTRACt-ws = ^/([^/]+)$ in source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Search-time field extraction with EXTRACT key works fine and it's usually recommended by Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For using it in a search, you can test it with this:
rex field=_raw "https-blah.com/(?<path>\S*)"
Might have to adjust it, depending on what other values exist.
After that, use field extractions.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
