Solved: Help extracting hostname with host_regex from path

jelli5518 · ‎11-05-2019

Log files are list this:

/audit/files/any/path/host1.audittype-secure.timestamp.audit.log.1
/audit/files/hostab.audittype-audit.timestamp.txt
etc...

Example:
/audit/files/path/host123.secure.2019080165784.audit.log.1

I want Splunk to have host as "host1" and "hostab" and "host123", and etc..

I have this in inputs.conf:

[monitor:///audit/files]
host_regex = \/S+([^.]).*

But it isn't working at all.

I'm trying to set hostname to the string between the last / and the first.

mayurr98 · ‎11-05-2019

try this :

host_regex = .*\/(host[^\.]+).*

OR

host_regex = \/(host[^\.]+)

mayurr98 · ‎11-05-2019

try this :

host_regex = .*\/(host[^\.]+).*

OR

host_regex = \/(host[^\.]+)

jelli5518 · ‎11-06-2019

The first worked!
The second put the path in the hostname.

Seems like I needed to remove the "host" keyboard from the above. I'm using Splunk Enterprise 7.1.2, if that matters.

Thanks!

mayurr98 · ‎11-06-2019

You are welcome!
Yeah .*\/([^\.]+).* will also work. Please accept the answer if it works for you to close the question.

jelli5518 · ‎11-06-2019

My log files don't actually have the word "host" in them-- that was just an example. Thanks again!

Help extracting hostname with host_regex from path