topic Re: Help extracting hostname with host_regex from path in Getting Data In

Help extracting hostname with host_regex from path

jelli5518 — Tue, 05 Nov 2019 21:04:09 GMT

Log files are list this:

/audit/files/any/path/host1.audittype-secure.timestamp.audit.log.1
/audit/files/hostab.audittype-audit.timestamp.txt
etc...

Example:
/audit/files/path/host123.secure.2019080165784.audit.log.1

I want Splunk to have host as "host1" and "hostab" and "host123", and etc..

I have this in inputs.conf:

[monitor:///audit/files]
host_regex = \/S+([^.]).*

But it isn't working at all.

I'm trying to set hostname to the string between the last / and the first.

mayurr98 — Tue, 05 Nov 2019 22:00:50 GMT

try this :

host_regex = .*\/(host[^\.]+).*

host_regex = \/(host[^\.]+)

jelli5518 — Wed, 06 Nov 2019 17:02:09 GMT

The first worked!
The second put the path in the hostname.

Seems like I needed to remove the "host" keyboard from the above. I'm using Splunk Enterprise 7.1.2, if that matters.

Thanks!

mayurr98 — Wed, 06 Nov 2019 17:24:00 GMT

You are welcome!
Yeah .*\/([^\.]+).* will also work. Please accept the answer if it works for you to close the question.

jelli5518 — Wed, 06 Nov 2019 17:37:49 GMT

My log files don't actually have the word "host" in them-- that was just an example. Thanks again!