Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data source 'host' regex, need some pointers.

teward001
Path Finder
‎04-25-2014 07:20 AM

Right now, we've got a path like: /splunk/data-sources/domain-botnet.csv, with numerous files, but each is a .csv file.

I'm trying to import it so that the host field returns the domain-botnet part of the filename, but not the whole filename.

Right now I'm trying to make it work sorta, but it only captures the first part of that filename, say, 'domain' or 'url' rather than what I want it to capture, and this is the regex I've come up with so far (keep in mind I'm a newbie at regex...): (url|domain|infrastructure|email|malware)-\w*

Anyone able to maybe give me some pointers on how to make this work? Note that this will also be applied to a Windows system as well as a Linux system, so it needs to be able to adapt to a variable-length path, traversing any number of directories and/or drive paths to extract the filename (minus the .csv extension)

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2014 08:05 AM

Try this:

host_regex=(?:[\\/][^\\/]*){1,}[\\/]([^\.]*)\.csv

RegExr (http://www.regexr.com/) is a great tool for testing regular expressions.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2014 08:05 AM

Try this:

host_regex=(?:[\\/][^\\/]*){1,}[\\/]([^\.]*)\.csv

RegExr (http://www.regexr.com/) is a great tool for testing regular expressions.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

teward001
Path Finder
‎04-25-2014 10:09 AM

Works perfectly, thanks!

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎04-25-2014 07:41 AM

In inputs.conf, use this

host_regex=(?:/|\\)(\S+?)\.csv$

should do it. HTH!

0 Karma
Reply
Solved! Jump to solution

teward001
Path Finder
‎04-25-2014 07:48 AM

That does part of it, the host now shows up as "splunk/data-sources/domain-malware" or "splunk/data-sources/domain-botnet" or "splunk/data-sources/infrastructure-scan", but i only want the last segment of this, domain-malware or domain-botnet or infrastructure-scan, etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...