How to extract filename form Source field

deepthi5 · ‎07-10-2015

Hi team,

I have got a csv files indexed into splunk with names SOURCE= C:\Netwrokanalysis\germany.csv ,c:\networkanalysis\singapore.csv i want to extract country name form this SOURCE field that is germany,singapore

Thanks ,
Deepthi

gyarici · ‎07-10-2015

Also assigning different sourcetype per county csv file is other option and you can handle it better for your future search queries.

In your input.conf file;

[monitor://C:\networkanalysisgermany.csv]
disabled = false
sourcetype = Germany

[monitor://C:\networkanalysissingapore.csv]
disabled = false
sourcetype = Singapore

Create Sourcetypes

Hope it helps

Gokhan

sc0tt · ‎07-10-2015

This is probably the best solution.

joao_amorim · ‎07-10-2015

I didn't test it but it should work if the length of the first part of the SOURCE string is always the same.
You can also apply a rex command after applying the split command, but it will do the same than the command proposed by sc0tt

sc0tt · ‎07-10-2015

I'm sure there is a more elegant solution, but would something like | eval country = mvindex(split(substr(source,18),"."),0) work?

Edit: This should work as well

rex field=source "c:networkanalysis(?<country>\S+).csv"

How to extract filename form Source field

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases