Re: Regex not extracting host

abhi04 · ‎05-01-2024

Hi all,

our regex is unable to extract host from the logs, can you pleas ehelp with the correct regex.though this regex works when checked in regex101, not sure why unable to extract

[hostextract]
REGEX = ^.*\w+\s+\d+\s+(?:\d+:){2}\d+\s+(?P<test>\w+)\s+
SOURCE_KEY = _raw
DEST_KEY = MetaData:Host
FORMAT = host::$1

e.g. logs format

May 1 08:35:30 10.98.6.249 May 1 08:35:30 host_abc

Apr 10 08:45:20 10.98.6.249 Apr 10 08:45:20 host_def

May 1 08:35:30 10.98.6.249 May 1 08:35:30 host_ghi

abhi04 · ‎05-01-2024

The starting format of logs in regex101

kiran_panchavat · ‎05-01-2024

@abhi04 Hello Abhi, Please use the below regex.

Does my answer above solve your question? If yes, spare a moment to accept the answer and vote for it. Thanks.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

Regex not extracting host

configuration

Splunk Investigate

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Are you a member of the Splunk Community?