Set regex hostname from file location

dersa · ‎04-24-2024

Hi, I am having troubles with providing the correct regex to extract the hostname from the file location. The file structure looks like this

/var/log/syslog/splunk-lb/ise/switch01.log

I need only the switch01 as hostname but splunk add switch01.log.

The regex i use is (?:[\/][^\/]*){1,}[\/](\w*)

Any idea how to modify the regex to match only switch01?

thanks

Alex

PickleRick · ‎04-24-2024

Your regex seems pretty OK. You could try to simplify it a bit (the character class is not needed if you want just one character, slashes don't need escaping and {1,} can be replaced by +) so you could do something like this:

(?:/[^/]*)+/(\w*)

But you can simplify it even further

(?:.*)/(\w*)

You could take one thing into account though - a valid hostname can contain a dash which is not included in \w. Also, depending on your environment, if it's a FQDN, it can contain dots.

dersa · ‎04-24-2024

Cheers Rick,

The regex I ended up is like this (?:.*)\/(\w*). The one you suggested,(?:.*)/(\w*), didn't work.

thanks Alex

PickleRick · ‎04-25-2024

That is puzzling. If I understand correctly, you're talking about the host_regex setting of the monitor input, right?

The docs don't say that there is any kind of escaping required. If it is however, it would be great if you posted a docs feedback (there is a form at the bottom of https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf ) describing your situation and how it differs from the described state.

Set regex hostname from file location

using Splunk Enterprise

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...