Thanks. I've tried the regexr.com site, but it's not very useful. It doesn't really say how to use it. Probably me...

/k regex should still be valid, but maybe .log is not the end of the string? Can you try this:

(?<=system\-)(.+)(?=\.log)

btw, you can play around with your data here http://regexr.com/ 😉

abc-twus601m-b2. Basically, anything after the system- to .log. I can't control what is there, so it could include dashes and underscores, and be any case.

what would be the host name then, abc-twus601m-b2 or twus601m-b2?

This is working great, but I noticed that it doesn't parse on some values - if they have multiple dashes, for example (wasn't expecting that).

system-abc-twus601m-b2.log

Yes, the host_regex operates on the source field.

Thanks - this worked. Is the host_regex including the path of the file in it's parsing?

Aah, it does not really work that way. The asterisk in the [monitor] does not behave like normal regex. It actually translates to [^/\\]*, i.e. match any number of characters as long as they are not slash or backslash.

This also means that your host_regex will fail, since there, the asterisk takes its normal meaning, i.e. match the preceding character zero or more times.

Also, you do not have a correctly defined capturing group in the regex.

Try this instead (includes the "nx" part):

host_regex = \/system-(.+)\.log$

/k

This was my attempt:

[monitor:///apps/logs/*/*/*/system-nx*.log]
recursive  = Yes
index=perfstats
sourcetype = lcs_syslog
followTail = 0
disabled = 0
host_regex = "/apps/logs/*/*/*/system-(NnXx\w+[a-zA-Z0-9][.]log"

Thanks. I'm not looking to do this in the search bar, but rather in the inputs.conf via host_regex, using a forwarder.