Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract from source path not working

kittle
New Member
‎08-07-2012 02:38 PM

I tried to follow the directions here to extract a field from the source path of my directory -- but i cant seem to get it working.

At the end of the post it says to add

EXTRACT-ws_component = ^/([^/]+)$ in source

to my props.conf file. since this is a windows machine, I changed the backslash (/) to escaped forward slash (\\) and I end up with this

EXTRACT-ws_component = ^\\([^\\]+)$ in source'

Then when I go into search, my new field does not show up.

In the end I want to extract a field from pathname of the files A sample of the pathanmes is like so: 

D:\extract\stressTest\hkln288p\WLS_ATH1\logs\out.log  
D:\extract\stressTest\hkln288p\WLS_CMB_NA1\logs\out.log  
D:\extract\stressTest\hkln289p\WLS_ATH2\logs\out.log  
D:\extract\stressTest\hkln289p\WLS_ATH\logs\out.log  
D:\extract\stressTest\hkln289p\WLS_CMB_BAC2\logs\out.log

where the field I want to extract is the WLS_* section: WLS_ATH1, WLS_ATH2... etc

how do I accomplish this?

lastly -- please excuse any oversights here, ive only been using splunk for a few days.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-07-2012 03:33 PM

You could try the following in props.conf for the sourcetype in question.

[your_sourcetype]
EXTRACT-wls = \\WLS_(?<ZZZ>[A-Z0-9_]+)

should give you a new field called ZZZ which would contain the various WLS_* (but not the leading WLS_ part, i.e ATH, ATH2, CMB_BAC2 etc)

Hope this helps,

K

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎08-07-2012 06:02 PM

Your initial regex featured a caret (^) in the initial position meaning "start at the beginning of the string" in regex-ese. Since the paths begin with D:\, your regex wasn't going to match. Glad to see you've got it working.

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-07-2012 03:33 PM

You could try the following in props.conf for the sourcetype in question.

[your_sourcetype]
EXTRACT-wls = \\WLS_(?<ZZZ>[A-Z0-9_]+)

should give you a new field called ZZZ which would contain the various WLS_* (but not the leading WLS_ part, i.e ATH, ATH2, CMB_BAC2 etc)

Hope this helps,

K

0 Karma
Reply
Solved! Jump to solution

kittle
New Member
‎08-07-2012 04:44 PM

Thanks - that was enough to get it working. note the line MUST read EXTRACT-wls = \\WLS_(?<ZZZ>[A-Z0-9_]+) in source in order to work properly

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...