Solved: Re: Change source file name while indexing

splunkwar · ‎03-30-2020

Hi,

I have a source file something like this Samplefile_Infobar_20200331 and I would like to view the source as Samplefile_Infobar_2020-03-31 on Splunk search head (With hyphens between the yyyymmdd). How to do it.

Thanks

gcusello · ‎03-30-2020

hi @ splunkwar
try something like this:

| makeresults | eval source="Samplefile_Infobar_20200331.log"
| rex field=source "^(?<prefix>.*)(?<year>\d\d\d\d)(?<month>\d\d)(?<day>\d\d)(?<ext>.*)"
| eval source_final=prefix.year."-".month."-".day.ext
| table source source_final

Ciao.
Giuseppe

View solution in original post

gcusello · ‎03-30-2020

hi @ splunkwar
try something like this:

| makeresults | eval source="Samplefile_Infobar_20200331.log"
| rex field=source "^(?<prefix>.*)(?<year>\d\d\d\d)(?<month>\d\d)(?<day>\d\d)(?<ext>.*)"
| eval source_final=prefix.year."-".month."-".day.ext
| table source source_final

Ciao.
Giuseppe

splunkwar · ‎03-30-2020

Thanks @gcusello , is there a way to achieve same before indexing ?
thanks in advance.

gcusello · ‎03-30-2020

hi @splunkwar,
I cannot test it, so try something like this:
transforms.conf

[source_override]
REGEX = ^(.*)_(\d\d\d\d)(\d\d)(\d\d)(.*)
FORMAT = source::$1_$2-$3-$4$5
SOURCE_KEY=MetaData:Source
DEST_KEY = MetaData:Source

props.conf

[your_sourcetype]
REPORT-source = source_override

Ciao.
Giuseppe

splunkwar · ‎03-30-2020

Thanks, it works. 🙂

gcusello · ‎03-30-2020

You're welcome!
See next time!
ciao.
Giuseppe

Change source file name while indexing

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio