Splunk Search

Data source 'host' regex, need some pointers.

teward001
Path Finder

Right now, we've got a path like: /splunk/data-sources/domain-botnet.csv, with numerous files, but each is a .csv file.

I'm trying to import it so that the host field returns the domain-botnet part of the filename, but not the whole filename.

Right now I'm trying to make it work sorta, but it only captures the first part of that filename, say, 'domain' or 'url' rather than what I want it to capture, and this is the regex I've come up with so far (keep in mind I'm a newbie at regex...): (url|domain|infrastructure|email|malware)-\w*

Anyone able to maybe give me some pointers on how to make this work? Note that this will also be applied to a Windows system as well as a Linux system, so it needs to be able to adapt to a variable-length path, traversing any number of directories and/or drive paths to extract the filename (minus the .csv extension)

Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this:

host_regex=(?:[\\/][^\\/]*){1,}[\\/]([^\.]*)\.csv

RegExr (http://www.regexr.com/) is a great tool for testing regular expressions.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Try this:

host_regex=(?:[\\/][^\\/]*){1,}[\\/]([^\.]*)\.csv

RegExr (http://www.regexr.com/) is a great tool for testing regular expressions.

---
If this reply helps you, Karma would be appreciated.

teward001
Path Finder

Works perfectly, thanks!

0 Karma

lguinn2
Legend

In inputs.conf, use this

host_regex=(?:/|\\)(\S+?)\.csv$

should do it. HTH!

0 Karma

teward001
Path Finder

That does part of it, the host now shows up as "splunk/data-sources/domain-malware" or "splunk/data-sources/domain-botnet" or "splunk/data-sources/infrastructure-scan", but i only want the last segment of this, domain-malware or domain-botnet or infrastructure-scan, etc.

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Introducing .conf Stories Series!

“.conf Stories” Series – First Feature: Rich Mahlerwein   Every year .conf brings together some of the most ...