Solved: How do I create a host name from two matches with ...

kevlar0 · ‎04-01-2016

If I'm gathering data from /data/"folder"/"subfolder" and want to make the host = "folder"-"subfolder", is this possible to do with host_regex?

Obviously I can get "folder" or "subfolder" trivially, but I can't figure out a way to append both of those strings together.

lguinn2 · ‎04-01-2016

You can easily get "folder/subfolder", but I don't know how to change the "/" to a "-" in inputs.conf

host_regex = "/data/(.*?/.*?)/"

If you really, really must have a "-", you will have to do it at parsing time on the indexer (or heavy forwarder):

props.conf

[yoursourcetypehere]
TRANSFORMS-rh = rename_host

transforms.conf

[rename_host]
SOURCE_KEY=MetaData:Host
REGEX=(.*?)/(.*)
DEST_KEY=MetaData:Host
FORMAT=host::$1-$2

lguinn2 · ‎04-01-2016

You can easily get "folder/subfolder", but I don't know how to change the "/" to a "-" in inputs.conf

host_regex = "/data/(.*?/.*?)/"

If you really, really must have a "-", you will have to do it at parsing time on the indexer (or heavy forwarder):

props.conf

[yoursourcetypehere]
TRANSFORMS-rh = rename_host

transforms.conf

[rename_host]
SOURCE_KEY=MetaData:Host
REGEX=(.*?)/(.*)
DEST_KEY=MetaData:Host
FORMAT=host::$1-$2

kevlar0 · ‎04-01-2016

Thanks! I'd suspected I'd need to use transforms, but was hoping I could still do it with inputs.conf.

How do I create a host name from two matches with host_regex?