topic Re: Why does set host by 'regex on path' work differently between Splunk Web and inputs.conf? in Getting Data In

Why does set host by 'regex on path' work differently between Splunk Web and inputs.conf?

evelenke — Tue, 27 Dec 2016 18:09:27 GMT

Hi Splunkers,

I have a set of directories (syslog collector), created for logs from remote hosts and containing hostnames in the name. While indexing in Splunk, I need all the data to be mapped to the same source (source=myhosts) to avoid creating new source for new files.
Also I need to extract hostnames from the path, so I use 'regex on path'.

The issue is that when I create Input via Splunk Web, the regex works just fine and my host=remotehostname, but I can't declare source value.
When I create input in inputs.conf with the same regex, my host=splunkhostname.

The regex looks like this:

.*\/work\/SPLUNK\_HOSTS\_\/(?\S[^\/]+).*

How can I fix it?

Thank you in advance.

Re: Why does set host by 'regex on path' work differently between Splunk Web and inputs.conf?

somesoni2 — Tue, 27 Dec 2016 19:22:49 GMT

Are you overriding the source attribute in inputs.conf and then host = .*\/work\/SPLUNK\_HOSTS\_\/(?\S[^\/]+).* is not working? Mind sharing your inputs.conf entry (full)?

Re: Why does set host by 'regex on path' work differently between Splunk Web and inputs.conf?

gokadroid — Tue, 27 Dec 2016 22:32:42 GMT

Can you try to see if host_segment is what you are looking for to create the host names based on the directory paths. For example in below the host is picked up from 4th element in the directory path as abc-host*:

inputs.conf
[monitor:///myLogDirectory/myRegionDirectory/myEnvDirectory/abc-host*/xyz.log]
host_segment = 4

Re: Why does set host by 'regex on path' work differently between Splunk Web and inputs.conf?

evelenke — Tue, 29 Sep 2020 12:13:17 GMT

Hi,

Here's my stanzas. Sorry, but I have to change names

[monitor:///work/VENDOR_DEVICES_/mydevice.mydomain.com]
disabled = false
index = vendor
source = vendor_model
host_regex = .*DEVICES\_\/(?<host>\S[^\/]+).*

The source value is unique for this type of devices

Also I had to mention the folder structure inside each folder like the following:

/work/VENDOR_DEVICES_/mydevice.mydomain.com/2016/2016-12/2016-12-28/mydevice.mydomain.com_20161228.txt

Re: Why does set host by 'regex on path' work differently between Splunk Web and inputs.conf?

evelenke — Wed, 28 Dec 2016 12:00:56 GMT

Hi,

strange , but host_segment doesn't work from inputs.conf neither...
Strictly declared host (host=mydevicename) works fine.