Getting Data In

Help extracting hostname with host_regex from path

jelli5518
Engager

Log files are list this:

/audit/files/any/path/host1.audittype-secure.timestamp.audit.log.1
/audit/files/hostab.audittype-audit.timestamp.txt
etc...

Example:
/audit/files/path/host123.secure.2019080165784.audit.log.1

I want Splunk to have host as "host1" and "hostab" and "host123", and etc..

I have this in inputs.conf:

[monitor:///audit/files]
host_regex = \/S+([^.]).*

But it isn't working at all.

I'm trying to set hostname to the string between the last / and the first.

0 Karma
1 Solution

mayurr98
Super Champion

try this :

host_regex = .*\/(host[^\.]+).*

OR

host_regex = \/(host[^\.]+)

View solution in original post

mayurr98
Super Champion

try this :

host_regex = .*\/(host[^\.]+).*

OR

host_regex = \/(host[^\.]+)

jelli5518
Engager

The first worked!
The second put the path in the hostname.

Seems like I needed to remove the "host" keyboard from the above. I'm using Splunk Enterprise 7.1.2, if that matters.

Thanks!

0 Karma

mayurr98
Super Champion

You are welcome!
Yeah .*\/([^\.]+).* will also work. Please accept the answer if it works for you to close the question.

0 Karma

jelli5518
Engager

My log files don't actually have the word "host" in them-- that was just an example. Thanks again!

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...