Splunk Search

How do I get host_regex to work for my log file names?

Engager

Log files are:
/audit/files/20180515041511.scc145.audit.log.1
/audit/files/20180515041511.scc145.audit.log.2
/audit/files/20180515041511.dmzbackend.audit.log.1
etc...

I want splunk to have host as "scc145" and "dmzbackend", and etc..

I have this in inputs.conf:
[monitor:///audit/files]
host_regex = ([^0-9./][A-Za-z0-9-]*[^.audit.log])

Also tried
host_regex = /audit/files/([^0-9./][A-Za-z0-9-]*[^.audit.log])

That regex works just fine on sites like regex101.com. Splunk won't use it correctly. I've tried a ton of variations (for example approaches that don't use the caret) which work fine for regex, but Splunk won't use it.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

I would suggest the following:

host_regex = .([^.]+).audit.log

This will match scc145 and dmzbackend as the host names. You need the capture group to do exactly the part that you want as the hostname, and no other portion of the filename.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

I would suggest the following:

host_regex = .([^.]+).audit.log

This will match scc145 and dmzbackend as the host names. You need the capture group to do exactly the part that you want as the hostname, and no other portion of the filename.

View solution in original post

0 Karma

Engager

Thanks! That worked...but I've found that I also have files called:

/audit/files/20180516009678.fep145.dmz.mil.audit.log.1
/audit/files/20180517095674.view145.dmz.mil.audit.log.1

for this pattern, the suggested host_regex results in a host of "mil" (with both of them going into "mil" host, which is also not good).

0 Karma

SplunkTrust
SplunkTrust

Try:

.([^.]+).(dmz.mil.)?audit.log

Also there is a more generic:

\.([^.]+)\..*audit\.log\..*$
0 Karma