I have a source of /var/log/opscode/desired_sourcetype/current. I need to get the part of the filename that is called "desired_courcetype" via regex. I am almost there, the rewriting is working great. Here is my config:
Props:
[chef:server]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRANSFORMS-update_metadata = autosource
Transforms:
[autosource]
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Source
REGEX = \w+
FORMAT = sourcetype::chef:server:$4
Clearly I am not well versed in regex. So woud would the regex be to capture the 3rd element of the filepath delimited by the /.
Any help is MUCH appreciated!
Like this:
[autosource]
SOURCE_KEY = MetaData:Source
REGEX = ^source::(?:/[^/]+){3}/([^/]+)/
FORMAT = sourcetype::chef:server:$1
DEST_KEY = MetaData:Sourcetype
Deploy to Indexers (or HFs) and restart splunk instances and verify on NEW events (old events will stay broken).
Hi brent_weaver,
do you want to extract this field at search time or at index time?
at search time you could use a regex like this
\/var\/log\/opscode\/(?<desired_courcetype>[^\/]*)
test it at https://regex101.com/r/8YMnMh/1
Bye.
Giuseppe
Also inportant to note that "desired_sourcetype" is variable, that is not a static string.
Guiseppe - I would want it at index time. This config is sitting on a heavy weight forwarder. So if I used that config what would my FORMAT field look like in transforms?
YOu can just use the same REGEX (minus the name capture), i.e. just \/var\/log\/opscode\/([^\/]*)
as REGEX in your transforms.conf.