How can I configure Splunk to extract some fields from the source filename.
I already specify a host_regex and that works great. Also I understand that if there is a date in the filename, splunk will find it automatically. The field can be extracted at index-time if it must.
I have Splunk watch a lot of files and directories. For some source types, there are fields in the filename that aren't the 'host', or a 'date' field. Furthermore these fields aren't repeated in the event data themselves (i.e. not in the file content, only in the filename).
Here's an example from a host collecting oracle alert logs,.
<logdir>/<host>.<sid>.log
/tmp/splunk_alert_logs/db01.TOOL.log
This might have been hit already, but I'm having some difficulty finding an answer that doesn't involve an automatically located field.