Getting Data In

Help extracting hostname with host_regex from path

jelli5518
Engager

Log files are list this:

/audit/files/any/path/host1.audittype-secure.timestamp.audit.log.1
/audit/files/hostab.audittype-audit.timestamp.txt
etc...

Example:
/audit/files/path/host123.secure.2019080165784.audit.log.1

I want Splunk to have host as "host1" and "hostab" and "host123", and etc..

I have this in inputs.conf:

[monitor:///audit/files]
host_regex = \/S+([^.]).*

But it isn't working at all.

I'm trying to set hostname to the string between the last / and the first.

0 Karma
1 Solution

mayurr98
Super Champion

try this :

host_regex = .*\/(host[^\.]+).*

OR

host_regex = \/(host[^\.]+)

View solution in original post

mayurr98
Super Champion

try this :

host_regex = .*\/(host[^\.]+).*

OR

host_regex = \/(host[^\.]+)

jelli5518
Engager

The first worked!
The second put the path in the hostname.

Seems like I needed to remove the "host" keyboard from the above. I'm using Splunk Enterprise 7.1.2, if that matters.

Thanks!

0 Karma

mayurr98
Super Champion

You are welcome!
Yeah .*\/([^\.]+).* will also work. Please accept the answer if it works for you to close the question.

0 Karma

jelli5518
Engager

My log files don't actually have the word "host" in them-- that was just an example. Thanks again!

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...