https://community.splunk.com/t5/Splunk-Search/host-regex-is-not-working-extract-host-name-from-windows-path/m-p/63134#M180255 <P>All,</P> <P>I'm trying to use host_regex to extract host names for input</P> <P>Background:</P> <UL> <LI>All logs are copied to a windows fileshare (installing agents on the servers are out of scope</LI> <LI>it would make life easier) logs are in different folder (split due as they all have different timezones - servers cannot use UTC/GMT)</LI> <LI>logs are in the following locations and format:<BR /> C:\foo\bar\Splunk\EET\fihel01srv001-Mon.log<BR /> C:\foo\bar\Splunk\CET\frpar01srv001-Mon.log<BR /> C:\foo\bar\Splunk\WET\uklon01srv001-Mon.log<BR /> etc...</LI> </UL> <P>Aim<BR /><BR /> to get:<BR /><BR /> fihel01srv001<BR /><BR /> frpar01srv001<BR /><BR /> uklon01srv001<BR /></P> <P>Attempted:<BR /></P> <UL> <LI>the following (unoptimised) search works :<BR /> index=test | rex field=source ".*?(?<HOSTNAME>[a-z]+[0-9]+[a-z]+[0-9]+)-.+\.log$"<BR /></HOSTNAME></LI> </UL> <P>but...<BR /><BR /> when putting this into inputs.conf, it doesn't work<BR /><BR /> host field is set to the server that is indexing the logs<BR /><BR /> ie: host=splunkserver</P> <P>inputs.conf:<BR /> [monitor://C:\foo\bar\Splunk\WET\<EM>.log]<BR /> disabled = false<BR /> followTail = 0<BR /> index = test<BR /> sourcetype = testlogs<BR /> crcSalt=<SOURCE><BR /> host_regex = ".</SOURCE></EM>?([a-z]+[0-9]+[a-z]+[0-9]+)-.+\.log$"</P> <P>BTW: also open to other alternative solutions...</P> Fri, 13 Sep 2013 09:57:47 GMT splunked38 2013-09-13T09:57:47Z https://community.splunk.com/t5/Splunk-Search/host-regex-is-not-working-extract-host-name-from-windows-path/m-p/63134#M180255 <P>All,</P> <P>I'm trying to use host_regex to extract host names for input</P> <P>Background:</P> <UL> <LI>All logs are copied to a windows fileshare (installing agents on the servers are out of scope</LI> <LI>it would make life easier) logs are in different folder (split due as they all have different timezones - servers cannot use UTC/GMT)</LI> <LI>logs are in the following locations and format:<BR /> C:\foo\bar\Splunk\EET\fihel01srv001-Mon.log<BR /> C:\foo\bar\Splunk\CET\frpar01srv001-Mon.log<BR /> C:\foo\bar\Splunk\WET\uklon01srv001-Mon.log<BR /> etc...</LI> </UL> <P>Aim<BR /><BR /> to get:<BR /><BR /> fihel01srv001<BR /><BR /> frpar01srv001<BR /><BR /> uklon01srv001<BR /></P> <P>Attempted:<BR /></P> <UL> <LI>the following (unoptimised) search works :<BR /> index=test | rex field=source ".*?(?<HOSTNAME>[a-z]+[0-9]+[a-z]+[0-9]+)-.+\.log$"<BR /></HOSTNAME></LI> </UL> <P>but...<BR /><BR /> when putting this into inputs.conf, it doesn't work<BR /><BR /> host field is set to the server that is indexing the logs<BR /><BR /> ie: host=splunkserver</P> <P>inputs.conf:<BR /> [monitor://C:\foo\bar\Splunk\WET\<EM>.log]<BR /> disabled = false<BR /> followTail = 0<BR /> index = test<BR /> sourcetype = testlogs<BR /> crcSalt=<SOURCE><BR /> host_regex = ".</SOURCE></EM>?([a-z]+[0-9]+[a-z]+[0-9]+)-.+\.log$"</P> <P>BTW: also open to other alternative solutions...</P> Fri, 13 Sep 2013 09:57:47 GMT https://community.splunk.com/t5/Splunk-Search/host-regex-is-not-working-extract-host-name-from-windows-path/m-p/63134#M180255 splunked38 2013-09-13T09:57:47Z https://community.splunk.com/t5/Splunk-Search/host-regex-is-not-working-extract-host-name-from-windows-path/m-p/63135#M180256 <P>Per </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/inputsconf" target="_blank">Splunk inputs.conf doc</A></P> <P>the host_regex extracts from the path, not the filename.</P> <P>Alternate solution. Put each server log in it's own folder and use host_regex or easier use host_segment.</P> Mon, 28 Sep 2020 14:46:26 GMT https://community.splunk.com/t5/Splunk-Search/host-regex-is-not-working-extract-host-name-from-windows-path/m-p/63135#M180256 antlefebvre 2020-09-28T14:46:26Z https://community.splunk.com/t5/Splunk-Search/host-regex-is-not-working-extract-host-name-from-windows-path/m-p/63136#M180257 <P>I'm not sure how many slashes, but this might work for your host_regex in inputs.conf</P> <P>\\\\\([a-z]+[0-9]+[a-z]+[0-9]+)-.+.log$"</P> Fri, 13 Sep 2013 13:41:22 GMT https://community.splunk.com/t5/Splunk-Search/host-regex-is-not-working-extract-host-name-from-windows-path/m-p/63136#M180257 lukejadamec 2013-09-13T13:41:22Z https://community.splunk.com/t5/Splunk-Search/host-regex-is-not-working-extract-host-name-from-windows-path/m-p/63137#M180258 <P>Actually, the path <EM>includes</EM> the file name, you can test this by using the following regex: (.+)</P> Mon, 16 Sep 2013 09:08:45 GMT https://community.splunk.com/t5/Splunk-Search/host-regex-is-not-working-extract-host-name-from-windows-path/m-p/63137#M180258 splunked38 2013-09-16T09:08:45Z https://community.splunk.com/t5/Splunk-Search/host-regex-is-not-working-extract-host-name-from-windows-path/m-p/63138#M180259 <P>Sorry, this doesn't work, even without the quotes. Using the regex (.+), the path is prefixed with 'source:' therefore the regex will fail. The solution below.</P> Mon, 16 Sep 2013 09:09:27 GMT https://community.splunk.com/t5/Splunk-Search/host-regex-is-not-working-extract-host-name-from-windows-path/m-p/63138#M180259 splunked38 2013-09-16T09:09:27Z https://community.splunk.com/t5/Splunk-Search/host-regex-is-not-working-extract-host-name-from-windows-path/m-p/63139#M180260 <P>ok, the answer is...remove the quotes!</P> <P>The following works:</P> <PRE><CODE> host_regex =_*?([a-z]+[0-9]+[a-z]+[0-9]+)-.+\\.log$ </CODE></PRE> Mon, 16 Sep 2013 09:10:23 GMT https://community.splunk.com/t5/Splunk-Search/host-regex-is-not-working-extract-host-name-from-windows-path/m-p/63139#M180260 splunked38 2013-09-16T09:10:23Z