Splunk extract fields from source

0
votes

I have log entries all having a source file like:

/openshift/{openshift_container_id}/{openshift_container_name}/{openshift_image_name}/{openshift_pod_name}/{openshift_namespace}.{docker_stream}

Is it possible to have parts of the log source as fields? How can this be done?

1
splunk

1 Answers

2
votes
rex field=source "/openshift/(?<openshift_container_id>[^/]+)/(?<openshift_container_name>[^/]+)/(?<openshift_image_name>[^/]+)/(?<openshift_pod_name>[^/]+)/(?<openshift_namespace>[^\.]+)\.(?<docker_stream>.*)"

You can use the rex command to extract fields from other fields using regular expressions