topic Re: host_Regex help in Splunk Search

host_Regex help

a212830 — Mon, 28 Sep 2020 15:42:50 GMT

Hi,

I want to name my host based upon a value in the logfile. I know it can be done via regex but it's not working.

The name of the files are like this...

SG_HTTP.AGW-US123-PLUG.140124.122345.log.gz
SG_HTTP.AGW-US301-PLUG.140124.122345.log.gz

my host regex is = (IGW+[a-zA-Z0-9_])

richgalloway — Fri, 24 Jan 2014 13:53:57 GMT

Assuming the host name is between the first two dots, this may work for you.

'rex "[.]*\.(?<host>[^.]+?)\.[.]*"'

a212830 — Fri, 24 Jan 2014 13:58:05 GMT

I'm looking to to this in the inputs.conf, not the search bar.

richgalloway — Fri, 24 Jan 2014 14:05:01 GMT

Then you'll want to create a transforms.conf stanza with a 'REGEX = [.]*\.(?<host>[^\.]+?)\.(?<date>[^\.]*?)\.(?<time>[^\.]*?)' statement.

somesoni2 — Fri, 24 Jan 2014 17:35:48 GMT

If AGW-US123-PLUG is the host name from the file name, use this

\.([-a-zA-Z0-9]+)\.

If just US123-PLUG is the host name , use this

-([-a-zA-Z0-9]+)\.

E.g. inputs.conf
[monitor://<path>]
host_regex = <your_regex>