I've set up Splunk to monitor a single folder which contains an archive of log files from multiple source hosts. The filename contains the hostname in the following structure 'hostname_date.csv', for example 'B0292T01_18062015.csv'. They currently sit at the following path c:\testlogs\B0292T01_18062015.csv
I would like Splunk to set the host as the first section of the filename. I've tried to filter for it using the Set Host Regex on Path option and using [A-Z][0-0][0-9][0-9][0-9][A-Z][0-9][0-9]
as the regex but this isn't working.
Can anyone help?
For some reason, this question will not let me add an answer, so I am adding a comment...
The problem is that your regex is not properly capturing the data. Try this instead:
inputs.conf
[monitor://c:\testlogs\]
host_regex = \\(.*?)_\d+\.csv$
Here is the description in the documentation
For some reason, this question will not let me add an answer, so I am adding a comment...
The problem is that your regex is not properly capturing the data. Try this instead:
inputs.conf
[monitor://c:\testlogs\]
host_regex = \\(.*?)_\d+\.csv$
Here is the description in the documentation
Hi Lguinn,
That's working great thanks except for one thing - it reports the host as 'testlogs\B0292T01'
, is there anyway to get it to not pull in the 'testlogs\'
.
Thanks.
Try this instead:
host_regex = \\testlogs\\(.*?)_\d+\.csv$
Hi Lguinn,
That's working great. Thanks a lot.
Best Regards.
Try:
host_regex = testlogs\(.*?)_\d+.csv$
Hello Esix,
I just tried that and unfortunately it does not appear to be working - Splunk is using the servers hostname instead.
Any other ideas?
hmm.. can't really put the regex here as this forum somehow escapes "\" characters
so attaching an image below