Getting Data In

How to Extract the host values from the path?

cecilia_cheng1
Explorer

Hello everyone,

I am new to splunk. I've got trouble when I was trying to get host values from the path.

The directory I set is D:\14. splunk\SMT\. No matter what kind of extract function i was using: regex or segment, it doesn't work.

For example,

The host name of the following file should be "PCXXXXX", but it still shows the default host name .

Capture-2.PNG

However, I already set the host name with regex on path, but it doesn't work...

I also tried Segment in path, it still the same...

Untitled picture.png

Please help...

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @cecilia_cheng1,

if you already indexed data, they remain in Splunk even if you deleted files!

If you want to delete them from Splunk, you have to use the delete command (with much muche attention!), but anyway, we're speaking of a logical deletion and not of a physical deletion.

If my answer solves your need, please accept it for the other people of Community.

See next time.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @cecilia_cheng1,

you could use the host_segment=3 but anyway, the regex to take the value is

^\w+:(\\[^\\]+){2}\\(?<host>[^\\]+)

that you can test at https://regex101.com/r/hPopwS/1

Ciao.

Giuseppe

cecilia_cheng1
Explorer

Hi @gcusello,

Really appreciated your reply,  I just tried your suggestion, but it still doesn't work... And I've tried the segment 3 before, not working...

😭

BR.

Cecilia

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cecilia_cheng1,

please try this:

in your inputs.conf stanza

[monitor://D:\*\SMT\*]
host_regex = ^\w+:(\\[^\\]+){2}\\([^\\]+)

Otherwise, you could override the host value on Indexers or Heavy Forwarders in this way:

props.conf

#props.conf
[your_sourcetype]
TRANSFORMS-hostFromSource=hostFromSource

transforms.conf

#transforms.conf
[hostFromSource]
SOURCE_KEY = MetaData:Source
REGEX=^\w+:(\\[^\\]+){2}\\([^\\]+)
FORMAT = $1
DEST_KEY= MetaData:Host

for more infos see at https://docs.splunk.com/Documentation/Splunk/latest/Data/Setadefaulthostforaninput 

Ciao.

Giuseppe

cecilia_cheng1
Explorer

Hi @gcusello ,

Thank you for your supporting.

I moved the data to a new folder and reimported it with "host_segment" stanza and it worked...

The odd thing is, I deleted the original files and paths, but the previous imported files are still visible in the search. Maybe Splunk's data has memory or something, so the previous changes don't take effect and you need to create a new path?

BR.

Cecilia

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cecilia_cheng1,

if you already indexed data, they remain in Splunk even if you deleted files!

If you want to delete them from Splunk, you have to use the delete command (with much muche attention!), but anyway, we're speaking of a logical deletion and not of a physical deletion.

If my answer solves your need, please accept it for the other people of Community.

See next time.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

cecilia_cheng1
Explorer

Hi @gcusello ,

Yes, that's what I figure out, that the Splunk will "store" the data once indexing them. That's explain everything. 

Thanks again~

BR

Cecilia

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...