Log files are list this:
/audit/files/any/path/host1.audittype-secure.timestamp.audit.log.1 /audit/files/hostab.audittype-audit.timestamp.txt etc...
I want Splunk to have host as "host1" and "hostab" and "host123", and etc..
I have this in inputs.conf:
[monitor:///audit/files] host_regex = \/S+([^.]).*
But it isn't working at all.
I'm trying to set hostname to the string between the last / and the first.
The first worked!
The second put the path in the hostname.
Seems like I needed to remove the "host" keyboard from the above. I'm using Splunk Enterprise 7.1.2, if that matters.