Getting Data In

Help extracting hostname with host_regex from path

jelli5518
Engager

Log files are list this:

/audit/files/any/path/host1.audittype-secure.timestamp.audit.log.1
/audit/files/hostab.audittype-audit.timestamp.txt
etc...

Example:
/audit/files/path/host123.secure.2019080165784.audit.log.1

I want Splunk to have host as "host1" and "hostab" and "host123", and etc..

I have this in inputs.conf:

[monitor:///audit/files]
host_regex = \/S+([^.]).*

But it isn't working at all.

I'm trying to set hostname to the string between the last / and the first.

0 Karma
1 Solution

mayurr98
SplunkTrust
SplunkTrust

try this :

host_regex = .*\/(host[^\.]+).*

OR

host_regex = \/(host[^\.]+)

View solution in original post

mayurr98
SplunkTrust
SplunkTrust

try this :

host_regex = .*\/(host[^\.]+).*

OR

host_regex = \/(host[^\.]+)

View solution in original post

jelli5518
Engager

The first worked!
The second put the path in the hostname.

Seems like I needed to remove the "host" keyboard from the above. I'm using Splunk Enterprise 7.1.2, if that matters.

Thanks!

0 Karma

mayurr98
SplunkTrust
SplunkTrust

You are welcome!
Yeah .*\/([^\.]+).* will also work. Please accept the answer if it works for you to close the question.

0 Karma

jelli5518
Engager

My log files don't actually have the word "host" in them-- that was just an example. Thanks again!

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!