I have concocted a basic regular expression to find all Splunk indexes from matching hosts. The idea of the regex is to find all indexes by hosts that:
- Begin with "us" or "ln"
- The third character (after us or ln) can be any character
- The fourth character is an x
- The remaining characters can be any character or number
- It can also be followed by .intranet.local (but is optional)
\
(Also, sourcetype should be from syslog)
Splunk searches and regexes I have tried are:
(Note, splunk isn't letting me post back slashes in my code... even if I use quadruple backslashes to try and escape, so imagine the forward slashes below are back slashes)
sourcetype=syslog host="(?:us|ln)/w*/./w/./w"sourcetype=syslog host_regex="(?:us|ln)/w*/./w/./w"sourcetype=syslog regex host="(?:us|ln)/w*/.w/w*/./w"
If I remove the regex section, and do a search with host="*", I receive indexes with host fields such as:
uslx1099.intranet.local
uslx508.intranet.local
mylx091.intranet.local
usax555
lnax01b
Any assistance or clarification as to what I may be doing wrong would be greatly appreciated.
Thanks,
