Splunk Search

Nedd regex help to use part of a filepath as source type

brent_weaver
Builder

I have a source of /var/log/opscode/desired_sourcetype/current. I need to get the part of the filename that is called "desired_courcetype" via regex. I am almost there, the rewriting is working great. Here is my config:

Props:

[chef:server]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRANSFORMS-update_metadata = autosource

Transforms:

[autosource]
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Source
REGEX = \w+
FORMAT = sourcetype::chef:server:$4

Clearly I am not well versed in regex. So woud would the regex be to capture the 3rd element of the filepath delimited by the /.

Any help is MUCH appreciated!

Tags (1)
0 Karma

woodcock
Esteemed Legend

Like this:

[autosource]
SOURCE_KEY = MetaData:Source
REGEX = ^source::(?:/[^/]+){3}/([^/]+)/
FORMAT = sourcetype::chef:server:$1
DEST_KEY = MetaData:Sourcetype
0 Karma

woodcock
Esteemed Legend

Deploy to Indexers (or HFs) and restart splunk instances and verify on NEW events (old events will stay broken).

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi brent_weaver,
do you want to extract this field at search time or at index time?
at search time you could use a regex like this

\/var\/log\/opscode\/(?<desired_courcetype>[^\/]*)

test it at https://regex101.com/r/8YMnMh/1
Bye.
Giuseppe

brent_weaver
Builder

Also inportant to note that "desired_sourcetype" is variable, that is not a static string.

0 Karma

brent_weaver
Builder

Guiseppe - I would want it at index time. This config is sitting on a heavy weight forwarder. So if I used that config what would my FORMAT field look like in transforms?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

YOu can just use the same REGEX (minus the name capture), i.e. just \/var\/log\/opscode\/([^\/]*) as REGEX in your transforms.conf.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...