- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Create a field from the source
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a field from the source
Hi,
I have created fields from the raw data successfully. However now I need to extract a portion of the source data (which I imported manually into my Splunk running on a Mac) and create one field.
My source data are actually multiple files that contains log and the machine identifiers is in the source path
Exemple:
splunk_data.zip:./var/www/temp/GetOnline/CG1111/MD/LOG.TXT
splunk_data.zip:./var/www/temp/GetOnline/UV5015/MD/LOG.TXT
The correct regex to extract the machine name would be: (?<=ne\/).*?(?=\/MD)
I have tried all possible answers from that forum and I could not create a field t.hat would include all my machine names.
I was wondering if you guys can shed some light here?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer.
I've done what you suggested but it doesn't work. I have three questions:
1) There are a lot of props.conf and transforms.conf on my Mac. I created these two files under /Application/Splunk/etc/system/local and I populated them with your inputs above. Is that right?
2) In your props.conf above, what would be the correct value for "yoursourcetype"?
3) Then what? Restart Splunk? Restart my Mac? Re-index?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Which props/trasnforms files you alter may depend on your other configurations. You can use btool to ensure the configurations you create are being handled as you want them.
2) That depends on what sourcetype the data is created with. When you search for this data in your Splunk instance, what do you see for the sourcetype?
3) You should not need to re-index, but you should at least perform a debug/refresh (yoursplunkhost:8000/debug/refresh, and click the button that is shown there) to inform Splunk to re-read its configuration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this.
props.conf:
[<yoursourcetype>]
REPORT-machinename = machinename
transforms.conf:
[machinename]
SOURCE_KEY = MetaData:Source
REGEX = (?<=ne\/)(?<machinename>.*)?(?=\/MD)
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
