https://community.splunk.com/t5/Splunk-Search/How-to-host-regex-from-file-input/m-p/629621#M218731 <P>Ok I think i found out what the issue is.<BR /><BR />After changing the host_regex to just "(................)" to see what information is getting fed into splunk for that data, it showed only "source::SCC_SCAP" which means it's getting the data from my stanza configuration of&nbsp;<BR />Source=SCC_SCAP</P><P>When I removed that line, i started getting "source::&lt;full_file_path&gt;"<BR /><BR />So the issue was less about the regex not working, and more it was failing everytime and just defaulting back to the actual hot.<BR /><BR />But now i'm not sure how to fix the next problem.&nbsp; I don't want a million *.txt files inside the "Sources" sections of the databases.&nbsp; I want all of these text logs in a singular Source.&nbsp; But i guess if no one knows how to keep those unified without declaring the source in the inputs.conf, I think i have to choose between regex_host and Source=&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 04 Feb 2023 22:21:54 GMT icewolf69 2023-02-04T22:21:54Z https://community.splunk.com/t5/Splunk-Search/How-to-host-regex-from-file-input/m-p/629614#M218726 <P>Hey All,&nbsp;</P> <P>&nbsp;</P> <P>I'm really struggling here.&nbsp; I'm trying to get a universal forwarder to pull in txt logs, and edit the "host" field based on the filename/file path.</P> <P>Example file path:</P> <P>C:\SCAP_SCANS\Sessions\2023-02-04_1200\SERVER-test_SCC-5.7_2023-02-04_111238_Non-Compliance_MS_Windows_10_STIG-2.7.1.txt</P> <P>&nbsp;</P> <P>Inputs.conf stanza:<BR /><BR /></P> <P>[monitor://C:\SCAP_SCANS\Sessions]<BR />disabled = false<BR />ignoreOlderThan = 90d<BR />host_regex = [^\\\]+(?=_SCC)<BR />SHOULD_LINEMERGE = true<BR />MAX_EVENTS = 500000<BR />index = main<BR />source = SCC_SCAP_TXT<BR />sourcetype = SCC_SCAP_TXT<BR />whitelist = (Non-Compliance).*\.(txt)</P> <P>&nbsp;</P> <P>Tried a few different regex's.&nbsp; Checked btool to make sure there aren't any configs overwriting settings.&nbsp; Tried with and without transforms and props files.&nbsp; Verified regex works using the path and a makeresults query.<BR /><BR />Anyone have any suggestions?</P> Mon, 06 Feb 2023 00:13:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-host-regex-from-file-input/m-p/629614#M218726 icewolf69 2023-02-06T00:13:52Z https://community.splunk.com/t5/Splunk-Search/How-to-host-regex-from-file-input/m-p/629616#M218728 <P>The <FONT face="courier new,courier">host_regex</FONT> setting requires a capture group.&nbsp; The example setting does not have one.</P><P>Please specify what&nbsp; part of the file path is the server name and we should be able to produce a regex for it.</P> Sat, 04 Feb 2023 18:10:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-host-regex-from-file-input/m-p/629616#M218728 richgalloway 2023-02-04T18:10:36Z https://community.splunk.com/t5/Splunk-Search/How-to-host-regex-from-file-input/m-p/629617#M218729 <P>It requires a capture group? Do you have to set a specific variable for that?<BR /><BR /><SPAN>C:\SCAP_SCANS\Sessions\2023-02-04_1200\<U><STRONG>SERVER-test</STRONG></U>_SCC-5.7_2023-02-04_111238_Non-Compliance_MS_Windows_10_STIG-2.7.1.txt</SPAN></P><P><SPAN>Bold and underlined is the server name.<BR /><BR />The following regex works fine on a makeresults:<BR />(?&lt;host&gt;([^\\\\]+(?=_SCC)))<BR /></SPAN></P> Sat, 04 Feb 2023 18:13:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-host-regex-from-file-input/m-p/629617#M218729 icewolf69 2023-02-04T18:13:20Z https://community.splunk.com/t5/Splunk-Search/How-to-host-regex-from-file-input/m-p/629618#M218730 <P>No need to set a variable (perhaps not even allowed).&nbsp; The first capture group becomes the host name.</P><P>This regex is more efficient, according to regex101.com</P><LI-CODE lang="markup">\\([^\\\\]+)_SCC</LI-CODE> Sat, 04 Feb 2023 19:06:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-host-regex-from-file-input/m-p/629618#M218730 richgalloway 2023-02-04T19:06:16Z https://community.splunk.com/t5/Splunk-Search/How-to-host-regex-from-file-input/m-p/629621#M218731 <P>Ok I think i found out what the issue is.<BR /><BR />After changing the host_regex to just "(................)" to see what information is getting fed into splunk for that data, it showed only "source::SCC_SCAP" which means it's getting the data from my stanza configuration of&nbsp;<BR />Source=SCC_SCAP</P><P>When I removed that line, i started getting "source::&lt;full_file_path&gt;"<BR /><BR />So the issue was less about the regex not working, and more it was failing everytime and just defaulting back to the actual hot.<BR /><BR />But now i'm not sure how to fix the next problem.&nbsp; I don't want a million *.txt files inside the "Sources" sections of the databases.&nbsp; I want all of these text logs in a singular Source.&nbsp; But i guess if no one knows how to keep those unified without declaring the source in the inputs.conf, I think i have to choose between regex_host and Source=&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 04 Feb 2023 22:21:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-host-regex-from-file-input/m-p/629621#M218731 icewolf69 2023-02-04T22:21:54Z