Getting Data In

Help extracting hostname with host_regex from path

jelli5518
Engager

Log files are list this:

/audit/files/any/path/host1.audittype-secure.timestamp.audit.log.1
/audit/files/hostab.audittype-audit.timestamp.txt
etc...

Example:
/audit/files/path/host123.secure.2019080165784.audit.log.1

I want Splunk to have host as "host1" and "hostab" and "host123", and etc..

I have this in inputs.conf:

[monitor:///audit/files]
host_regex = \/S+([^.]).*

But it isn't working at all.

I'm trying to set hostname to the string between the last / and the first.

0 Karma
1 Solution

mayurr98
Super Champion

try this :

host_regex = .*\/(host[^\.]+).*

OR

host_regex = \/(host[^\.]+)

View solution in original post

mayurr98
Super Champion

try this :

host_regex = .*\/(host[^\.]+).*

OR

host_regex = \/(host[^\.]+)

jelli5518
Engager

The first worked!
The second put the path in the hostname.

Seems like I needed to remove the "host" keyboard from the above. I'm using Splunk Enterprise 7.1.2, if that matters.

Thanks!

0 Karma

mayurr98
Super Champion

You are welcome!
Yeah .*\/([^\.]+).* will also work. Please accept the answer if it works for you to close the question.

0 Karma

jelli5518
Engager

My log files don't actually have the word "host" in them-- that was just an example. Thanks again!

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...