Splunk Search

How do you extract a hostname from a source path?

rkatsnel
New Member

Hello all ,

I've configured Splunk to monitor directory , i.e. /usr/home/test/* for new CSV files ( periodically generated by cronjob)
multiple files , multiple hostnames, etc....

csv file format = hostname.timestamp.csv
source=  /usr/home/test/rO1234560e.timestamp.csv

I would like to extract host name(s) at search time from my source:

as I don't have privileges to work on input / output stanza's

the following regex

r\w\d{7}\w 

will match desired host name (confirmed in regex 101). But, in Splunk, a brand new field is created as "host_N" with no value ( i.e. it's blank).

|regex field source = (?)r\w\d{7}\w sourcetype = csv 

|regex field source = (?)r\w\d{7}\w\.\w+\.csv )  sourcetype= csv --- the same results 

Thanks in advance !

0 Karma
1 Solution

whrg
Motivator

Hi! You are confusing the regex command with the rex command. The regex command is for removing results based on a regular expression. The rex command (this is what you need) is for extracting new fields at search time.

Try it like this. The new field will be named "hostname":

index=... sourcetype=csv | rex field=source "(?<hostname>r\w\d{7}\w)"

Instead of doing the field extraction at search time, you could create a new field extraction under "Settings / Fields / Field extractions" or when clicking on "Event Actions / Extract Fields" in the search window. That way, Splunk will extract the field automatically for you.

EDIT: Typo

View solution in original post

0 Karma

whrg
Motivator

Hi! You are confusing the regex command with the rex command. The regex command is for removing results based on a regular expression. The rex command (this is what you need) is for extracting new fields at search time.

Try it like this. The new field will be named "hostname":

index=... sourcetype=csv | rex field=source "(?<hostname>r\w\d{7}\w)"

Instead of doing the field extraction at search time, you could create a new field extraction under "Settings / Fields / Field extractions" or when clicking on "Event Actions / Extract Fields" in the search window. That way, Splunk will extract the field automatically for you.

EDIT: Typo

0 Karma

rkatsnel
New Member

I tried what you have suggested and it does not work , my guess it's was a typo -:) , Thanks for for your help

0 Karma

whrg
Motivator

True, I had a typo in there. I fixed it. Try it again.

0 Karma

rkatsnel
New Member

Hello , Thanks for the prompt response it worked as expected , Have a good weekend !

0 Karma

whrg
Motivator

Glad to hear it's working!
When you add a new field extraction via Settings / Fields, set the sourcetype to csv and set Extraction/Transform to:

(?<hostname>r\w\d{7}\w) in source
0 Karma

rkatsnel
New Member

new field extraction is a terrific idea , Thanks for that !

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...