How can I extract hostname from the path for host_regex in data input on directory monitoring?
I need only host name
/export/var/path/host1.log
/export/var/path/host-02.ac.lp.our.domain.log
/export/var/path/host3.ac.lp.our.domain.log
so it should be
host1
host-02
host3
Thank you!
try this:
inputs.conf
[monitor:///export/var/path/host*]
host_regex = \/export\/var\/path\/(.*?[^\.]+)
regex101 link: https://regex101.com/r/L4xAkO/1
hope it helps
Slight simplification of \/export\/var\/path\/(.*?[^\.]+)
is \/export\/var\/path\/(.*?)\.
; -)
Thank you so much for your quick reply @adonio
Expression works on regex101, but when I try it in Splunk (via GUI-> Index once) it doesn't work as expected
For example:
I’ve tried to test two files using (.*?[^.]+).
1) /export/var/path/host1-03.ac.lp.our.domain.log
Review
Input Type File Monitor
Source Path /export/var/path/host1-03.ac.lp.our.domain.log
Continuously Monitor No, index once
Source Type syslog
App Context search
Host Source path regular expression: /export/var/path/(.*?[^\.]+)
Index testregex
Got data but host was set to “host1-03.ac.lp.our.domain” without .log.
The objective to get host set to "host1-03"
2) But it worked for /export/var/path/host2b.log
Review
Input Type File Monitor
Source Path /export/var/path/host1b.log
Continuously Monitor No, index once
Source Type syslog
App Context search
Host Source path regular expression: /export/var/path/(.*?[^\.]+)
Index testregex
Got data and host was set to host1b
Cannot figure out what I'm missing.
Any advice?