topic Re: Need help with regex for inputs.conf in Getting Data In

Need help with regex for inputs.conf

AK_Splunk — Tue, 28 Mar 2023 13:38:00 GMT

Need help with regex for inputs.conf to change the host as hostname and incase host has FQDN it should pick up till hostname only

example

1) host=hostname1

2) host = hostname2.yahoo.com

3) host = hostname3.google.com

In all these example it should pick only hostname1,hostname2,hostname3

Re: Need help with regex for inputs.conf

gcusello — Tue, 28 Mar 2023 13:41:42 GMT

Hi @AK_Splunk,

you can set host in inputs.conf on Universal Forwarders in fixed mode.

you can also override host field only on Indexers or (if present) on Heavy Forwarders following the instructions on https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Overridedefaulthostassignments

Ciao.

Giuseppe

Re: Need help with regex for inputs.conf

AK_Splunk — Tue, 28 Mar 2023 13:50:54 GMT

Hi @gcusello

Thanks for your quick response.

The link shares details to perform at props.conf and transforms.conf. I am looking for changes in inputs.conf directly.
Can you help me on the same?

Re: Need help with regex for inputs.conf

gcusello — Tue, 28 Mar 2023 13:58:07 GMT

Hi @AK_Splunk,

as I said, on inputs.conf you can only set up a value for host, evetually read from the path.

But if you want to have the FQDN for all Universal Forwarders, it's possible to configure the hostaneme to use FQDN adding this option to server.conf:

hostnameOption=fullyqualifiedname

as you can read at https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Serverconf

hostnameOption = [ fullyqualifiedname | clustername | shortname ] * The type of information to use to determine how splunkd sets the 'host' value for a Windows Splunk platform instance when you specify an input stanza with 'host = $decideOnStartup'. * Applies only to Windows hosts, and only for input stanzas that use the "host = $decideOnStartup" setting and value. * Valid values are "fullyqualifiedname", "clustername", and "shortname". * The value returned for the 'host' field depends on Windows DNS, NETBIOS, and what the name of the host is. * 'fullyqualifiedname' uses Windows DNS to return the fully qualified host name as the value. * 'clustername' also uses Windows DNS, but sets the value to the domain and machine name. * 'shortname' returns the NETBIOS name of the machine. * Cannot be an empty string. * Default: shortname

Ciao.

Giuseppe

Re: Need help with regex for inputs.conf

AK_Splunk — Tue, 28 Mar 2023 14:12:51 GMT

Thanks for sharing your input @gcusello .
I don't want to edit the server.conf for this requirement. I can only make changes in inputs.conf and for this I am following the below document section. Hence looking for regex

link-->https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/Setadefaulthostforaninput

section-->Set the event host with the host_regex attribute

Re: Need help with regex for inputs.conf

gcusello — Tue, 28 Mar 2023 14:20:35 GMT

HI @AK_Splunk,

as I said and it's described in the above link, you can statically configure a value for host,adding the host option to each stanza of inputs.conf

[monitor:///your_path/your_file.log] disabled = 0 index = your_index sourcetype = your_sourcetype host = your_host

but it's a static assignment.

ciao.

Giuseppe

Re: Need help with regex for inputs.conf

gcusello — Tue, 28 Mar 2023 14:23:31 GMT

Hi @AK_Splunk,

an additional information: you can extract the host from the path using the segment or a regex still on path or filename:

host_regex = <regular expression> * If specified, <regular expression> extracts host from the path to the file for each input file. * Detail: This feature examines the source key; if source is set explicitly in the stanza, that string is matched, not the original filename. * Specifically, the first group of the regular expression (regex) is used as the host. * If the regex fails to match, the input uses the default 'host' setting. * If 'host_regex' and 'host_segment' are both set, the input ignores 'host_regex'. * No default. host_segment = <integer> * If set to N, the Splunk platform sets the Nth "/"-separated segment of the path as 'host'. * For example, if you set "host_segment = 3" and the path is /logs/servers/host08/abc.txt, the third segment, "host08", is used. * If the value is not an integer or is less than 1, the default 'host' setting is used. * On Windows machines, the drive letter and colon before the backslash *does not* count as one segment. * For example, if you set "host_segment = 3" and the monitor path is D:\logs\servers\host01, Splunk software sets the host as "host01" because that is the third segment. * No default.

as described at https://docs.splunk.com/Documentation/Splunk/9.0.4/admin/Inputsconf

Ciao.

Giuseppe