Splunk Search

regex / source stanza issue, trying to tie a regex to match start-of-line

flo_cognosec
Communicator

This props.conf stanza give me headaches.

[source::/(testing2|bin|sbin|etc|lib|usr)/...]

This does indeed work and match /testing2/some_file and that's great.
But it also seems to match /some_dir/testing2/some_other_file where I do not want it to be applied.

In regex normally it is possible to tie an expressions to the beginning of a line but it seems that I cannot get this to work in splunk.

This actually does not work btw:
[source::^(/(testing2|bin|sbin|etc|lib|usr)/...)]

Any ideas ??

Tags (3)
0 Karma

flo_cognosec
Communicator

Hi

Unfortunately neither work.

I try to set the source-type based on the directory the file comes from while using a fschange stanza.
Setting the sourcetype in inputs.conf does not work as intended but overwrites the sourcetype set by the fschange module (that I need to keep), so setting it in props.conf works fine for me.
Besides that I need to treat the files from the listed directories in a special way and ONLY those from those directories.
A lot of other files / directories and the like from the same host are fed into splunk but I need not to interfere with their processing.

BUT as I wrote above it also applies the rules to a directory like
/somedir_/testing2/some_file
which it should not do actually so I would like to have the regex stick to the beginning of the source (which is the directory and filename ...)

Any ideas ?

0 Karma

milestulett
Path Finder

Perhaps the following?

[source::[^/(testing2|bin|sbin|etc|lib|usr)/...]]

I think the better question to ask is what you're trying to achieve? Are you trying to set the source based on the directory? It should do that automatically. If you're just after the root directory as the source, perhaps following this guide might help: http://docs.splunk.com/Documentation/Splunk/4.3/Data/Overridedefaulthostassignments

Just swap 'host' for 'source' and flavour to taste. Hope it works out. Otherwise, perhaps a custom field, such as 'root' might be an easier method of achieving what you want instead of trying to customise the source field (it might not be possible to change source field dynamically).

-

*Edit: It might also be possible to use \A instead of ^, as per http://www.regextester.com/pregsyntax.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...