Splunk Search

Can you help me create a regex that would extract a host from a path?

mlevsh
Builder

How can I extract hostname from the path for host_regex in data input on directory monitoring?

I need only host name

/export/var/path/host1.log
/export/var/path/host-02.ac.lp.our.domain.log
/export/var/path/host3.ac.lp.our.domain.log

so it should be

host1
host-02
host3

Thank you!

0 Karma

adonio
Ultra Champion

try this:
inputs.conf

[monitor:///export/var/path/host*]
host_regex = \/export\/var\/path\/(.*?[^\.]+)

regex101 link: https://regex101.com/r/L4xAkO/1

hope it helps

0 Karma

ddrillic
Ultra Champion

Slight simplification of \/export\/var\/path\/(.*?[^\.]+) is \/export\/var\/path\/(.*?)\. ; -)

0 Karma

mlevsh
Builder

Thank you so much for your quick reply @adonio

Expression works on regex101, but when I try it in Splunk (via GUI-> Index once) it doesn't work as expected

For example:
I’ve tried to test two files using (.*?[^.]+).

1) /export/var/path/host1-03.ac.lp.our.domain.log

Review
Input Type  File Monitor 
Source Path   /export/var/path/host1-03.ac.lp.our.domain.log
Continuously Monitor No, index once
Source Type  syslog
App Context  search
Host Source path regular expression: /export/var/path/(.*?[^\.]+)
Index  testregex

Got data but host was set to “host1-03.ac.lp.our.domain” without .log.
The objective to get host set to "host1-03"

2) But it worked for /export/var/path/host2b.log

Review
Input Type File Monitor
Source Path  /export/var/path/host1b.log
Continuously Monitor No, index once
Source Type syslog
App Context search
Host  Source path regular expression: /export/var/path/(.*?[^\.]+)
Index testregex

Got data and host was set to host1b

Cannot figure out what I'm missing.
Any advice?

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...