I tried to follow the directions here to extract a field from the source path of my directory -- but i cant seem to get it working.
At the end of the post it says to add
EXTRACT-ws_component = ^/([^/]+)$ in source
to my props.conf file. since this is a windows machine, I changed the backslash (/) to escaped forward slash (\\) and I end up with this
EXTRACT-ws_component = ^\\([^\\]+)$ in source'
Then when I go into search, my new field does not show up.
In the end I want to extract a field from pathname of the files A sample of the pathanmes is like so:
D:\extract\stressTest\hkln288p\WLS_ATH1\logs\out.log
D:\extract\stressTest\hkln288p\WLS_CMB_NA1\logs\out.log
D:\extract\stressTest\hkln289p\WLS_ATH2\logs\out.log
D:\extract\stressTest\hkln289p\WLS_ATH\logs\out.log
D:\extract\stressTest\hkln289p\WLS_CMB_BAC2\logs\out.log
where the field I want to extract is the WLS_* section: WLS_ATH1, WLS_ATH2... etc
how do I accomplish this?
lastly -- please excuse any oversights here, ive only been using splunk for a few days.
You could try the following in props.conf for the sourcetype in question.
[your_sourcetype]
EXTRACT-wls = \\WLS_(?<ZZZ>[A-Z0-9_]+)
should give you a new field called ZZZ which would contain the various WLS_* (but not the leading WLS_
part, i.e ATH, ATH2, CMB_BAC2
etc)
Hope this helps,
K
Your initial regex featured a caret (^) in the initial position meaning "start at the beginning of the string" in regex-ese. Since the paths begin with D:\, your regex wasn't going to match. Glad to see you've got it working.
You could try the following in props.conf for the sourcetype in question.
[your_sourcetype]
EXTRACT-wls = \\WLS_(?<ZZZ>[A-Z0-9_]+)
should give you a new field called ZZZ which would contain the various WLS_* (but not the leading WLS_
part, i.e ATH, ATH2, CMB_BAC2
etc)
Hope this helps,
K
Thanks - that was enough to get it working. note the line MUST read EXTRACT-wls = \\WLS_(?<ZZZ>[A-Z0-9_]+) in source
in order to work properly