Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

host_regex vs tranforms.

a212830
Champion
‎02-22-2014 06:43 AM

Hi,

I am processing lots of syslog messages via rsyslog. The messages get routed to logfiles, which have the format of system-hostname.log. In order to get the proper hostname, I had been using a transforms, but I recently realized that I could to the same via host_regex. Which is the preferred method?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎02-22-2014 10:11 AM

If there were a "Best Practice" per-se (which there really isn't, in this case) it would be as you have done, to have the host designated in the file name, since the file name is accessible from so many different configuration files. So Bravo for the accidental forethought!

It's more a consideration as to flexibility and a consideration of "what might change". The host_regex is on the inputs and therefore tied to the source. So you could still change it at index time by catching it in a transforms should you need to, on the other hand... if you have individual input monitors routing to various sourcetypes, you are repeating your host_regex declaration over and over... and should you want to make a universal change, now you have individual inputs to attend to, whereas you can build a regex in a transforms that simply grabs the host from the filename universally (or to whatever scope you require)

So the answer is: "It Depends" 🙂

It really does depend on your overall topography. And really - the host_regex is a more granular designation. It applies only to that one source on that one inputs monitor. A transforms stanza could be applied to many sources.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Reply
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎02-22-2014 10:11 AM

If there were a "Best Practice" per-se (which there really isn't, in this case) it would be as you have done, to have the host designated in the file name, since the file name is accessible from so many different configuration files. So Bravo for the accidental forethought!

It's more a consideration as to flexibility and a consideration of "what might change". The host_regex is on the inputs and therefore tied to the source. So you could still change it at index time by catching it in a transforms should you need to, on the other hand... if you have individual input monitors routing to various sourcetypes, you are repeating your host_regex declaration over and over... and should you want to make a universal change, now you have individual inputs to attend to, whereas you can build a regex in a transforms that simply grabs the host from the filename universally (or to whatever scope you require)

So the answer is: "It Depends" 🙂

It really does depend on your overall topography. And really - the host_regex is a more granular designation. It applies only to that one source on that one inputs monitor. A transforms stanza could be applied to many sources.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-22-2014 09:59 AM

If the host is in the path you should extract it from there using host_regex. In principle that should allow Splunk to extract it once per file, not once per event. Didn't test if Splunk is that smart in this case, but usually it is 🙂

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...