Splunk Search

Add Data: Input Settings: Regular expression on path/filename to create Host field

masonmorales
Influencer

I'm adding a CSV using the "Add Data" GUI in Splunk 6.2. When I get to the Input Settings page, I have the option to specify a "Regular expression on path" to define the Host field. However, I have not been able to find any documentation on the correct syntax.

I'm not really concerned with the path of the file, so much as I am the file name in the path. So, for example, my file name is:

albatross-b8197b6cf24c.abcd.20150208.hardata.csv

I want to extract "b8197b6cf24c" and use that as the Host name. How would I specify the regular expression to do that from the Input Settings of the GUI?

Tags (5)
0 Karma
1 Solution

Lucas_K
Motivator

Based on a file location similar to /opt/input_data/albatross-b8197b6cf24c.abcd.20150208.hardata.csv

You could use something like

\/\S+-(?<host>.+)\.\w+\.+\S+\d+\.\w+\.csv

Someone can provide a neater regex but you get the idea.

Doco is here : http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Setadefaulthostforaninput

Edit inputs.conf
You can set up dynamic host extraction rules by directly configuring inputs.conf.

Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.

Use the host_regex attribute to override the host field with a value extracted through a regular expression:

[monitor://]
host_regex =
The regular expression extracts the host value from the filename of each input. The first capturing group of the regular expression is used as the host.

View solution in original post

Lucas_K
Motivator

Based on a file location similar to /opt/input_data/albatross-b8197b6cf24c.abcd.20150208.hardata.csv

You could use something like

\/\S+-(?<host>.+)\.\w+\.+\S+\d+\.\w+\.csv

Someone can provide a neater regex but you get the idea.

Doco is here : http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Setadefaulthostforaninput

Edit inputs.conf
You can set up dynamic host extraction rules by directly configuring inputs.conf.

Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.

Use the host_regex attribute to override the host field with a value extracted through a regular expression:

[monitor://]
host_regex =
The regular expression extracts the host value from the filename of each input. The first capturing group of the regular expression is used as the host.

View solution in original post

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.