Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Add Data: Input Settings: Regular expression on pa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm adding a CSV using the "Add Data" GUI in Splunk 6.2. When I get to the Input Settings page, I have the option to specify a "Regular expression on path" to define the Host field. However, I have not been able to find any documentation on the correct syntax.
I'm not really concerned with the path of the file, so much as I am the file name in the path. So, for example, my file name is:
albatross-b8197b6cf24c.abcd.20150208.hardata.csv
I want to extract "b8197b6cf24c" and use that as the Host name. How would I specify the regular expression to do that from the Input Settings of the GUI?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on a file location similar to /opt/input_data/albatross-b8197b6cf24c.abcd.20150208.hardata.csv
You could use something like
\/\S+-(?<host>.+)\.\w+\.+\S+\d+\.\w+\.csv
Someone can provide a neater regex but you get the idea.
Doco is here : http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Setadefaulthostforaninput
Edit inputs.conf
You can set up dynamic host extraction rules by directly configuring inputs.conf.
Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.
Use the host_regex attribute to override the host field with a value extracted through a regular expression:
[monitor://]
host_regex =
The regular expression extracts the host value from the filename of each input. The first capturing group of the regular expression is used as the host.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on a file location similar to /opt/input_data/albatross-b8197b6cf24c.abcd.20150208.hardata.csv
You could use something like
\/\S+-(?<host>.+)\.\w+\.+\S+\d+\.\w+\.csv
Someone can provide a neater regex but you get the idea.
Doco is here : http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Setadefaulthostforaninput
Edit inputs.conf
You can set up dynamic host extraction rules by directly configuring inputs.conf.
Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.
Use the host_regex attribute to override the host field with a value extracted through a regular expression:
[monitor://]
host_regex =
The regular expression extracts the host value from the filename of each input. The first capturing group of the regular expression is used as the host.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
