Splunk Search

Nedd regex help to use part of a filepath as source type

brent_weaver
Builder

I have a source of /var/log/opscode/desired_sourcetype/current. I need to get the part of the filename that is called "desired_courcetype" via regex. I am almost there, the rewriting is working great. Here is my config:

Props:

[chef:server]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRANSFORMS-update_metadata = autosource

Transforms:

[autosource]
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Source
REGEX = \w+
FORMAT = sourcetype::chef:server:$4

Clearly I am not well versed in regex. So woud would the regex be to capture the 3rd element of the filepath delimited by the /.

Any help is MUCH appreciated!

Tags (1)
0 Karma

woodcock
Esteemed Legend

Like this:

[autosource]
SOURCE_KEY = MetaData:Source
REGEX = ^source::(?:/[^/]+){3}/([^/]+)/
FORMAT = sourcetype::chef:server:$1
DEST_KEY = MetaData:Sourcetype
0 Karma

woodcock
Esteemed Legend

Deploy to Indexers (or HFs) and restart splunk instances and verify on NEW events (old events will stay broken).

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi brent_weaver,
do you want to extract this field at search time or at index time?
at search time you could use a regex like this

\/var\/log\/opscode\/(?<desired_courcetype>[^\/]*)

test it at https://regex101.com/r/8YMnMh/1
Bye.
Giuseppe

brent_weaver
Builder

Also inportant to note that "desired_sourcetype" is variable, that is not a static string.

0 Karma

brent_weaver
Builder

Guiseppe - I would want it at index time. This config is sitting on a heavy weight forwarder. So if I used that config what would my FORMAT field look like in transforms?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

YOu can just use the same REGEX (minus the name capture), i.e. just \/var\/log\/opscode\/([^\/]*) as REGEX in your transforms.conf.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...