- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm adding a CSV using the "Add Data" GUI in Splunk 6.2. When I get to the Input Settings page, I have the option to specify a "Regular expression on path" to define the Host field. However, I have not been able to find any documentation on the correct syntax.
I'm not really concerned with the path of the file, so much as I am the file name in the path. So, for example, my file name is:
albatross-b8197b6cf24c.abcd.20150208.hardata.csv
I want to extract "b8197b6cf24c" and use that as the Host name. How would I specify the regular expression to do that from the Input Settings of the GUI?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on a file location similar to /opt/input_data/albatross-b8197b6cf24c.abcd.20150208.hardata.csv
You could use something like
\/\S+-(?<host>.+)\.\w+\.+\S+\d+\.\w+\.csv
Someone can provide a neater regex but you get the idea.
Doco is here : http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Setadefaulthostforaninput
Edit inputs.conf
You can set up dynamic host extraction rules by directly configuring inputs.conf.
Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.
Use the host_regex attribute to override the host field with a value extracted through a regular expression:
[monitor://]
host_regex =
The regular expression extracts the host value from the filename of each input. The first capturing group of the regular expression is used as the host.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on a file location similar to /opt/input_data/albatross-b8197b6cf24c.abcd.20150208.hardata.csv
You could use something like
\/\S+-(?<host>.+)\.\w+\.+\S+\d+\.\w+\.csv
Someone can provide a neater regex but you get the idea.
Doco is here : http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Setadefaulthostforaninput
Edit inputs.conf
You can set up dynamic host extraction rules by directly configuring inputs.conf.
Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.
Use the host_regex attribute to override the host field with a value extracted through a regular expression:
[monitor://]
host_regex =
The regular expression extracts the host value from the filename of each input. The first capturing group of the regular expression is used as the host.
