Splunk Search

Can you help me create a regex that would extract a host from a path?

mlevsh
Builder

How can I extract hostname from the path for host_regex in data input on directory monitoring?

I need only host name

/export/var/path/host1.log
/export/var/path/host-02.ac.lp.our.domain.log
/export/var/path/host3.ac.lp.our.domain.log

so it should be

host1
host-02
host3

Thank you!

0 Karma

adonio
Ultra Champion

try this:
inputs.conf

[monitor:///export/var/path/host*]
host_regex = \/export\/var\/path\/(.*?[^\.]+)

regex101 link: https://regex101.com/r/L4xAkO/1

hope it helps

0 Karma

ddrillic
Ultra Champion

Slight simplification of \/export\/var\/path\/(.*?[^\.]+) is \/export\/var\/path\/(.*?)\. ; -)

0 Karma

mlevsh
Builder

Thank you so much for your quick reply @adonio

Expression works on regex101, but when I try it in Splunk (via GUI-> Index once) it doesn't work as expected

For example:
I’ve tried to test two files using (.*?[^.]+).

1) /export/var/path/host1-03.ac.lp.our.domain.log

Review
Input Type  File Monitor 
Source Path   /export/var/path/host1-03.ac.lp.our.domain.log
Continuously Monitor No, index once
Source Type  syslog
App Context  search
Host Source path regular expression: /export/var/path/(.*?[^\.]+)
Index  testregex

Got data but host was set to “host1-03.ac.lp.our.domain” without .log.
The objective to get host set to "host1-03"

2) But it worked for /export/var/path/host2b.log

Review
Input Type File Monitor
Source Path  /export/var/path/host1b.log
Continuously Monitor No, index once
Source Type syslog
App Context search
Host  Source path regular expression: /export/var/path/(.*?[^\.]+)
Index testregex

Got data and host was set to host1b

Cannot figure out what I'm missing.
Any advice?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...