Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me a make regular expression for input.conf on a Splunk forwarder ?

meet_vadaria
Engager
‎11-02-2018 10:06 AM

Hi,

I am collecting all log file to a syslog server where I have a Splunk forwarder installed. To override source of syslog server to actual source. I'm trying to create a regular expression, but I can't figure it out. I am using host_regex inside input.conf to do this. Below is an example of my configurations:

input.conf.
[monitor:///var/log/syslog/]
host_regex=.*(\d+-\d+-\d+-\d+)*

my directory structure is, /var/log/syslog//*.log

I have a directory for a specific host with a hostname, and, under that, I am receiving all logs from that specific host.
How can I get that directory name in the host_regex? So in Splunk as a source I can get the actual hostname and overrider syslog server hostname.

Thanks in advance!

0 Karma
Reply

markusspitzli
Communicator
‎02-19-2019 07:15 AM

Sounds like our configuration but we used the host_segment.
The filestructure has the following naming:
BASEDIR/uc/INDEX/HOSTNAME/SOURCETYPE/LOGFILE

[monitor:///var/log/rsyslog-splunk/uc/vmware-esxilog/*/vmw-syslog/*.log]
host_segment = 6

It works very well and we dont need to regex the hostname.

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎11-02-2018 11:05 AM

Hello @meet_vadaria.

I recommend that you verify your regex on the website regex101.com

I would imagine you might want
host_regex=.*(\d+-\d+-\d+-\d+)+ not host_regex=.*(\d+-\d+-\d+-\d+)* or else the host name might end up empty?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...