Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Data source 'host' regex, need some pointers.

teward001
Path Finder
‎04-25-2014 07:20 AM

Right now, we've got a path like: /splunk/data-sources/domain-botnet.csv, with numerous files, but each is a .csv file.

I'm trying to import it so that the host field returns the domain-botnet part of the filename, but not the whole filename.

Right now I'm trying to make it work sorta, but it only captures the first part of that filename, say, 'domain' or 'url' rather than what I want it to capture, and this is the regex I've come up with so far (keep in mind I'm a newbie at regex...): (url|domain|infrastructure|email|malware)-\w*

Anyone able to maybe give me some pointers on how to make this work? Note that this will also be applied to a Windows system as well as a Linux system, so it needs to be able to adapt to a variable-length path, traversing any number of directories and/or drive paths to extract the filename (minus the .csv extension)

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2014 08:05 AM

Try this:

host_regex=(?:[\\/][^\\/]*){1,}[\\/]([^\.]*)\.csv

RegExr (http://www.regexr.com/) is a great tool for testing regular expressions.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2014 08:05 AM

Try this:

host_regex=(?:[\\/][^\\/]*){1,}[\\/]([^\.]*)\.csv

RegExr (http://www.regexr.com/) is a great tool for testing regular expressions.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

teward001
Path Finder
‎04-25-2014 10:09 AM

Works perfectly, thanks!

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎04-25-2014 07:41 AM

In inputs.conf, use this

host_regex=(?:/|\\)(\S+?)\.csv$

should do it. HTH!

0 Karma
Reply
Solved! Jump to solution

teward001
Path Finder
‎04-25-2014 07:48 AM

That does part of it, the host now shows up as "splunk/data-sources/domain-malware" or "splunk/data-sources/domain-botnet" or "splunk/data-sources/infrastructure-scan", but i only want the last segment of this, domain-malware or domain-botnet or infrastructure-scan, etc.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...