<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Need help extracting a hostname from a source path in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Need-help-extracting-a-hostname-from-a-source-path/m-p/42073#M7822</link>
    <description>&lt;P&gt;An even easier approach might be &lt;CODE&gt;host_segment&lt;/CODE&gt; in &lt;CODE&gt;inputs.conf&lt;/CODE&gt;.  Using your example,&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[monitor:///var/log/fms]
host_segment=4
sourcetype=fms_source_type
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Thu, 03 May 2012 00:19:20 GMT</pubDate>
    <dc:creator>dwaddle</dc:creator>
    <dc:date>2012-05-03T00:19:20Z</dc:date>
    <item>
      <title>Need help extracting a hostname from a source path</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Need-help-extracting-a-hostname-from-a-source-path/m-p/42072#M7821</link>
      <description>&lt;P&gt;Hey guys, &lt;/P&gt;

&lt;P&gt;I'm a noob at props and transforms. &lt;/P&gt;

&lt;P&gt;Trying to basically extract a hostname from a sourcepath. &lt;/P&gt;

&lt;P&gt;Example: &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;/var/log/fms/host/blah/
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I would like to extract "host" and use that as the hostname for the source log. &lt;/P&gt;

&lt;P&gt;Here is how I am doing it so far: &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[host-extract]
SOURCE_KEY = MetaData:Source
REGEX = (\/var\/log\/fms\/)([0-9a-zA-Z\.\-_/]+)?\/
DEST_KEY = MetaData:Host
FORMAT = $2
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I also setup the following in props for this transform: &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[FMS_LF]
TRANSFORMS-host = host-extract
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;However seems like its not working...&lt;/P&gt;

&lt;P&gt;Any thoughts? Is my regex not right?&lt;/P&gt;

&lt;P&gt;Any help you can provide would be great. &lt;/P&gt;

&lt;P&gt;Thanks. &lt;/P&gt;

&lt;P&gt;Brian&lt;/P&gt;</description>
      <pubDate>Thu, 03 May 2012 00:04:26 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Need-help-extracting-a-hostname-from-a-source-path/m-p/42072#M7821</guid>
      <dc:creator>balbano</dc:creator>
      <dc:date>2012-05-03T00:04:26Z</dc:date>
    </item>
    <item>
      <title>Re: Need help extracting a hostname from a source path</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Need-help-extracting-a-hostname-from-a-source-path/m-p/42073#M7822</link>
      <description>&lt;P&gt;An even easier approach might be &lt;CODE&gt;host_segment&lt;/CODE&gt; in &lt;CODE&gt;inputs.conf&lt;/CODE&gt;.  Using your example,&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[monitor:///var/log/fms]
host_segment=4
sourcetype=fms_source_type
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 03 May 2012 00:19:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Need-help-extracting-a-hostname-from-a-source-path/m-p/42073#M7822</guid>
      <dc:creator>dwaddle</dc:creator>
      <dc:date>2012-05-03T00:19:20Z</dc:date>
    </item>
  </channel>
</rss>

