topic Re: How do you extract a hostname from a source path? in Splunk Search

How do you extract a hostname from a source path?

rkatsnel — Sat, 08 Dec 2018 16:24:18 GMT

Hello all ,

I've configured Splunk to monitor directory , i.e. /usr/home/test/* for new CSV files ( periodically generated by cronjob)
multiple files , multiple hostnames, etc....

csv file format = hostname.timestamp.csv
source=  /usr/home/test/rO1234560e.timestamp.csv

I would like to extract host name(s) at search time from my source:

as I don't have privileges to work on input / output stanza's

the following regex

r\w\d{7}\w

will match desired host name (confirmed in regex 101). But, in Splunk, a brand new field is created as "host_N" with no value ( i.e. it's blank).

|regex field source = (?)r\w\d{7}\w sourcetype = csv 

|regex field source = (?)r\w\d{7}\w\.\w+\.csv )  sourcetype= csv --- the same results

Thanks in advance !

Re: How do you extract a hostname from a source path?

whrg — Sat, 08 Dec 2018 16:52:17 GMT

Hi! You are confusing the regex command with the rex command. The regex command is for removing results based on a regular expression. The rex command (this is what you need) is for extracting new fields at search time.

Try it like this. The new field will be named "hostname":

index=... sourcetype=csv | rex field=source "(?<hostname>r\w\d{7}\w)"

Instead of doing the field extraction at search time, you could create a new field extraction under "Settings / Fields / Field extractions" or when clicking on "Event Actions / Extract Fields" in the search window. That way, Splunk will extract the field automatically for you.

EDIT: Typo

Re: How do you extract a hostname from a source path?

rkatsnel — Sat, 08 Dec 2018 16:59:13 GMT

I tried what you have suggested and it does not work , my guess it's was a typo -:) , Thanks for for your help

Re: How do you extract a hostname from a source path?

rkatsnel — Sat, 08 Dec 2018 17:05:28 GMT

new field extraction is a terrific idea , Thanks for that !

Re: How do you extract a hostname from a source path?

rkatsnel — Sat, 08 Dec 2018 17:16:17 GMT

Hello , Thanks for the prompt response it worked as expected , Have a good weekend !

Re: How do you extract a hostname from a source path?

whrg — Sat, 08 Dec 2018 17:16:21 GMT

True, I had a typo in there. I fixed it. Try it again.

Re: How do you extract a hostname from a source path?

whrg — Sat, 08 Dec 2018 18:08:23 GMT

Glad to hear it's working!
When you add a new field extraction via Settings / Fields, set the sourcetype to csv and set Extraction/Transform to:

(?<hostname>r\w\d{7}\w) in source