Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

host_regex is not working extract host name from windows path

splunked38
Communicator
‎09-13-2013 02:57 AM

All,

I'm trying to use host_regex to extract host names for input

Background:

  • All logs are copied to a windows fileshare (installing agents on the servers are out of scope
  • it would make life easier) logs are in different folder (split due as they all have different timezones - servers cannot use UTC/GMT)
  • logs are in the following locations and format:
    C:\foo\bar\Splunk\EET\fihel01srv001-Mon.log
    C:\foo\bar\Splunk\CET\frpar01srv001-Mon.log
    C:\foo\bar\Splunk\WET\uklon01srv001-Mon.log
    etc...

Aim

to get:

fihel01srv001

frpar01srv001

uklon01srv001

Attempted:

  • the following (unoptimised) search works :
    index=test | rex field=source ".*?(?[a-z]+[0-9]+[a-z]+[0-9]+)-.+\.log$"

but...

when putting this into inputs.conf, it doesn't work

host field is set to the server that is indexing the logs

ie: host=splunkserver

inputs.conf:
[monitor://C:\foo\bar\Splunk\WET\.log]
disabled = false
followTail = 0
index = test
sourcetype = testlogs
crcSalt=
host_regex = ".?([a-z]+[0-9]+[a-z]+[0-9]+)-.+\.log$"

BTW: also open to other alternative solutions...

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

splunked38
Communicator
‎09-16-2013 02:10 AM

ok, the answer is...remove the quotes!

The following works:

 host_regex =_*?([a-z]+[0-9]+[a-z]+[0-9]+)-.+\\.log$

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

splunked38
Communicator
‎09-16-2013 02:10 AM

ok, the answer is...remove the quotes!

The following works:

 host_regex =_*?([a-z]+[0-9]+[a-z]+[0-9]+)-.+\\.log$
0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎09-13-2013 06:41 AM

I'm not sure how many slashes, but this might work for your host_regex in inputs.conf

\\\\\([a-z]+[0-9]+[a-z]+[0-9]+)-.+.log$"

0 Karma
Reply
Solved! Jump to solution

splunked38
Communicator
‎09-16-2013 02:09 AM

Sorry, this doesn't work, even without the quotes. Using the regex (.+), the path is prefixed with 'source:' therefore the regex will fail. The solution below.

0 Karma
Reply
Solved! Jump to solution

antlefebvre
Communicator
‎09-13-2013 06:21 AM

Per

Splunk inputs.conf doc

the host_regex extracts from the path, not the filename.

Alternate solution. Put each server log in it's own folder and use host_regex or easier use host_segment.

0 Karma
Reply
Solved! Jump to solution

splunked38
Communicator
‎09-16-2013 02:08 AM

Actually, the path includes the file name, you can test this by using the following regex: (.+)

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...