host_regex isn't working...


I'm trying to get vulnerability data from a Nessus 4 nbe file. Here is my inputs.conf entry:

crcSalt = <SOURCE>
disabled = false
index = default
sourcetype = nessus
host_regex = .*?\|.*?|(.*?)\|

The output of the file looks like:

timestamps|||host_start|Thu Dec  9 15:27:16 2010|

results|192.168.250||snmp (161/udp)|10800|Security Note|\nSynopsis :\n\nThe System Information of the remote host can be obtained via SNMP.\n\nDescription :\n\nIt is possible to obtain the system information about the remote\nhost by sending SNMP requests with the OID\n\nAn attacker may use this information to gain more knowledge about\nthe target host.\n\nSolution :\n\nDisable the SNMP service on the remote host if you do not use it,\nor filter incoming UDP packets going to this port.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nSystem information :\n sysDescr     : Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)\r\nTechnical Support:\r\nCopyright (c) 1986-2010 by Cisco Systems, Inc.\r\nCompiled Wed 21-Apr-10 05:33 by prod_rel_team\n sysObjectID  :\n sysUptime    : 19d 4h 38m 12s\n sysContact   :\n sysName      :\n sysLocation  : SupportCenter\n sysServices  : 6\n\n

I've run searches and used the | regex =_raw=".?\|.?|(.*?)\|" and it captures events.

I've also tried the following regex:

(?i)^results|timestamp\|.*\|(.*)\|`enter code here`

When I use any of these the host field is always the machine that processed the config file.

What am I doing wrong?



Tags (1)

Splunk Employee
Splunk Employee

The host_regex parameter in the [monitor] stanza of inputs.conf works on the filename-- not the event data itself. Check out


[Add host_regex = <regular expression> to override the host field with a value extracted using a regular expression.

host_regex = $YOUR_REGEX
The regular expression extracts the host value from the filename of each input. The first capturing group of the regex is used as the host.

Note: If the regex fails to match, the default host = attribute is set as the host.][1]

You will need to use the field override approach described by hulahoop.

Splunk Employee
Splunk Employee

Your RegEx will match multiple times in the sample data -- probably why it isn't working. You should add a leading ^ to force the RegEx to match only from the beginning of the line.

I would write the RegEx like this:


This RegEx will match as the host.

Splunk Employee
Splunk Employee

Not sure why host_regex is not working. Have you tried configuring it as an index-time field override?


TRANSFORMS-nessus = setHost


DEST_KEY = MetaData:Host
REGEX = .?\|.?|(.*?)\|
FORMAT = host::$1

You will need to restart Splunk for this to take effect and it will only apply to new incoming events, not retroactively.