Splunk Search

Extract value for host field from log file path using the parameter host_regex in inputs.conf

neltonk
Path Finder

Hi,

I am new to Splunk and Regex. I have a folder : D:\SplunkForwarderCache\TimeSyncLogs\Linux. This folder contains files in the format [servername]_[currentdate]

I am using the universal forwarder to send logs to Splunk enterprise. I am able to successfully send the logs, however when I modify the inputs.conf to add the parameter host_regex to extract server name for the field host... it does not work

Details :

inputs.conf location for the universal forwarder : C:\Program Files\SplunkUniversalForwarder\etc\apps\search\local

Content in inputs.conf for the universal forwarder:

[monitor://D:\SplunkForwarderCache\TimeSyncLogs\Linux]
**host_regex
=Linux\(\w+)_
disabled = false
index = timesynclinuxlogs

I have restarted the universal forwarder after this change but has no effect. When I do a new seach index=timesynclinuxlogs the host value is still the hostname of the universal forwarder and not the extracted value from the log file name.

Please help...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi neltonk,
please try with a different regex in host_regex parameter

Linux\\(\w+)_

or

D:\\SplunkForwarderCache\\TimeSyncLogs\\Linux\\(\w+)_

backslash is a special char for regexes and must be escaped.

Bye.
Giuseppe

neltonk
Path Finder

The above issue seems to have resolved... the change seems to take a lot of time(added host_regex to inputs.conf made yesterday) to reflect on existing data(5 GB) in Splunk enterprise. Is my understanding correct?

I have also added the sourcetype parameter to the inputs.conf today... I can see it gets reflected for files uploaded today but has not changed for old files. Does the source type parameter change for old files or do I have to delete the monitor and index and ingest the data again?

0 Karma

p_gurav
Champion

No, The data that has been indexed previously will not have new sourcetype value.

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...