Splunk Search

How do you extract a hostname from a source path?

New Member

Hello all ,

I've configured Splunk to monitor directory , i.e. /usr/home/test/* for new CSV files ( periodically generated by cronjob)
multiple files , multiple hostnames, etc....

csv file format = hostname.timestamp.csv
source=  /usr/home/test/rO1234560e.timestamp.csv

I would like to extract host name(s) at search time from my source:

as I don't have privileges to work on input / output stanza's

the following regex

r\w\d{7}\w 

will match desired host name (confirmed in regex 101). But, in Splunk, a brand new field is created as "host_N" with no value ( i.e. it's blank).

|regex field source = (?)r\w\d{7}\w sourcetype = csv 

|regex field source = (?)r\w\d{7}\w\.\w+\.csv )  sourcetype= csv --- the same results 

Thanks in advance !

0 Karma
1 Solution

Motivator

Hi! You are confusing the regex command with the rex command. The regex command is for removing results based on a regular expression. The rex command (this is what you need) is for extracting new fields at search time.

Try it like this. The new field will be named "hostname":

index=... sourcetype=csv | rex field=source "(?<hostname>r\w\d{7}\w)"

Instead of doing the field extraction at search time, you could create a new field extraction under "Settings / Fields / Field extractions" or when clicking on "Event Actions / Extract Fields" in the search window. That way, Splunk will extract the field automatically for you.

EDIT: Typo

View solution in original post

0 Karma

Motivator

Hi! You are confusing the regex command with the rex command. The regex command is for removing results based on a regular expression. The rex command (this is what you need) is for extracting new fields at search time.

Try it like this. The new field will be named "hostname":

index=... sourcetype=csv | rex field=source "(?<hostname>r\w\d{7}\w)"

Instead of doing the field extraction at search time, you could create a new field extraction under "Settings / Fields / Field extractions" or when clicking on "Event Actions / Extract Fields" in the search window. That way, Splunk will extract the field automatically for you.

EDIT: Typo

View solution in original post

0 Karma

New Member

I tried what you have suggested and it does not work , my guess it's was a typo -:) , Thanks for for your help

0 Karma

Motivator

True, I had a typo in there. I fixed it. Try it again.

0 Karma

New Member

Hello , Thanks for the prompt response it worked as expected , Have a good weekend !

0 Karma

Motivator

Glad to hear it's working!
When you add a new field extraction via Settings / Fields, set the sourcetype to csv and set Extraction/Transform to:

(?<hostname>r\w\d{7}\w) in source
0 Karma

New Member

new field extraction is a terrific idea , Thanks for that !

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!