Splunk Enterprise

host_regex help

a212830
Champion

Hi,

I need to set the host field, based upon the hostname in my file. I know that this is done via host_regex, but I need help with the regex.

The files all begin with system-nx and end with .log. Almost anything can be between the nx and the .log

For example:

system-nx247sa.log
system-nxtest.log
system-nx27abc.log

Tags (1)
0 Karma
1 Solution

MuS
Legend

Hi a212830,

based on the provided examples, something like this should work for you:

 \-nx(?<myHost>.+)\.log

hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi a212830,

based on the provided examples, something like this should work for you:

 \-nx(?<myHost>.+)\.log

hope this helps ...

cheers, MuS

a212830
Champion

Thanks. I've tried the regexr.com site, but it's not very useful. It doesn't really say how to use it. Probably me...

0 Karma

MuS
Legend

/k regex should still be valid, but maybe .log is not the end of the string? Can you try this:

(?<=system\-)(.+)(?=\.log)

btw, you can play around with your data here http://regexr.com/ 😉

0 Karma

a212830
Champion

abc-twus601m-b2. Basically, anything after the system- to .log. I can't control what is there, so it could include dashes and underscores, and be any case.

0 Karma

MuS
Legend

what would be the host name then, abc-twus601m-b2 or twus601m-b2?

0 Karma

a212830
Champion

This is working great, but I noticed that it doesn't parse on some values - if they have multiple dashes, for example (wasn't expecting that).

system-abc-twus601m-b2.log

0 Karma

kristian_kolb
Ultra Champion

Yes, the host_regex operates on the source field.

0 Karma

a212830
Champion

Thanks - this worked. Is the host_regex including the path of the file in it's parsing?

0 Karma

kristian_kolb
Ultra Champion

Aah, it does not really work that way. The asterisk in the [monitor] does not behave like normal regex. It actually translates to [^/\\]*, i.e. match any number of characters as long as they are not slash or backslash.

This also means that your host_regex will fail, since there, the asterisk takes its normal meaning, i.e. match the preceding character zero or more times.

Also, you do not have a correctly defined capturing group in the regex.

Try this instead (includes the "nx" part):

host_regex = \/system-(.+)\.log$

/k

a212830
Champion

This was my attempt:

[monitor:///apps/logs/*/*/*/system-nx*.log]
recursive  = Yes
index=perfstats
sourcetype = lcs_syslog
followTail = 0
disabled = 0
host_regex = "/apps/logs/*/*/*/system-(NnXx\w+[a-zA-Z0-9][.]log"
0 Karma

a212830
Champion

Thanks. I'm not looking to do this in the search bar, but rather in the inputs.conf via host_regex, using a forwarder.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...