Splunk Search

How do I get host_regex to work for my log file names?

jelli5518
Engager

Log files are:
/audit/files/20180515041511.scc145.audit.log.1
/audit/files/20180515041511.scc145.audit.log.2
/audit/files/20180515041511.dmzbackend.audit.log.1
etc...

I want splunk to have host as "scc145" and "dmzbackend", and etc..

I have this in inputs.conf:
[monitor:///audit/files]
host_regex = ([^0-9./][A-Za-z0-9-]*[^.audit.log])

Also tried
host_regex = /audit/files/([^0-9./][A-Za-z0-9-]*[^.audit.log])

That regex works just fine on sites like regex101.com. Splunk won't use it correctly. I've tried a ton of variations (for example approaches that don't use the caret) which work fine for regex, but Splunk won't use it.

0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

I would suggest the following:

host_regex = .([^.]+).audit.log

This will match scc145 and dmzbackend as the host names. You need the capture group to do exactly the part that you want as the hostname, and no other portion of the filename.

View solution in original post

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

I would suggest the following:

host_regex = .([^.]+).audit.log

This will match scc145 and dmzbackend as the host names. You need the capture group to do exactly the part that you want as the hostname, and no other portion of the filename.

View solution in original post

0 Karma

jelli5518
Engager

Thanks! That worked...but I've found that I also have files called:

/audit/files/20180516009678.fep145.dmz.mil.audit.log.1
/audit/files/20180517095674.view145.dmz.mil.audit.log.1

for this pattern, the suggested host_regex results in a host of "mil" (with both of them going into "mil" host, which is also not good).

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Try:

.([^.]+).(dmz.mil.)?audit.log

Also there is a more generic:

\.([^.]+)\..*audit\.log\..*$
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!