How to develop a regular expression for my file pa...

cleelakrishna · ‎04-20-2017

How to develop a regular expression for the below paths to update in transforms.conf?

/srv/tomcat7/iiq/logs/sailpoint.log
/srv/tomcat7/iiq/logs/localhost_access_log.2017-04-19.txt
/srv/tomcat7/iiq/logs/catalina.out

Richfez · ‎07-16-2017

cleelakrishna,

If one of the below answers resolved your issue, could you please mark it Accepted? If they both did, Accept the most useful of the answers and upvote the other!

If it did not, please post back with more information or what's not working right so we can help finish this up!

Happy Splunking,
Rich

woodcock · ‎04-20-2017

In props.conf:

[YourSourcetypeHere]
REPORT-filename_from_source = filename_from_source

In transforms.conf:

[filename_from_source]
SOURCE_KEY = source
REGEX = [^\\\/]+$
FORMAT = finename::$1

somesoni2 · ‎04-20-2017

What you want to do with these path in the transforms.conf? Search time or index time?

cleelakrishna · ‎04-20-2017

there is one entry defined for log inputs. this happens to resolve to (at least) 6 different source files. Each unique file type should have a sourcetype, however these are all assigned to a single sourcetype.

I have to create each source type for that source paths

jkat54 · ‎04-20-2017

If you're looking to capture the filenames, try this

 \/src\/tomcat7\/iiq\/logs\/(.*)

Or if you're extracting as a field

 \/src\/tomcat7\/iiq\/logs\/(?<fileName>.*)

How to develop a regular expression for my file paths to update in transforms.conf?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases