Splunk Search

How to extract filename form Source field

deepthi5
Path Finder

Hi team,

I have got a csv files indexed into splunk with names SOURCE= C:\Netwrokanalysis\germany.csv ,c:\networkanalysis\singapore.csv i want to extract country name form this SOURCE field that is germany,singapore

Thanks ,
Deepthi

Tags (2)
0 Karma

gyarici
Path Finder

Also assigning different sourcetype per county csv file is other option and you can handle it better for your future search queries.

In your input.conf file;

[monitor://C:\networkanalysisgermany.csv]
disabled = false
sourcetype = Germany

[monitor://C:\networkanalysissingapore.csv]
disabled = false
sourcetype = Singapore

Create Sourcetypes

Hope it helps

Gokhan

sc0tt
Builder

This is probably the best solution.

0 Karma

joao_amorim
Communicator

I didn't test it but it should work if the length of the first part of the SOURCE string is always the same.
You can also apply a rex command after applying the split command, but it will do the same than the command proposed by sc0tt

0 Karma

sc0tt
Builder

I'm sure there is a more elegant solution, but would something like | eval country = mvindex(split(substr(source,18),"."),0) work?

Edit: This should work as well

rex field=source "c:networkanalysis(?<country>\S+).csv"
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...