I'll like to assign the sourcetype on the folder the logs are sitting in
***What I have***
File location pick up by forwarder
C:\Program Files (x86)\LIC\Current\test\filename.log
**props.conf**
[source::C:\Program Files (x86)\Current\*\*.log]
TRANSFORMS-set_sourcetype = set_sourcetype_from_log_subdir
**Transforms.conf**
[set_sourcetype_from_log_subdir]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Sourcetype
REGEX = .+\\(.+)\\[^]*
FORMAT = sourcetype::$1
Splunk Returns sourcetype as **filename** when index
but I want is the folder not the file name so it should return **test**
↧