Splunk Search

How to get host from filename?

I've set up Splunk to monitor a single folder which contains an archive of log files from multiple source hosts. The filename contains the hostname in the following structure 'hostname_date.csv', for example 'B0292T01_18062015.csv'. They currently sit at the following path c:\testlogs\B0292T01_18062015.csv

I would like Splunk to set the host as the first section of the filename. I've tried to filter for it using the Set Host Regex on Path option and using [A-Z][0-0][0-9][0-9][0-9][A-Z][0-9][0-9] as the regex but this isn't working.

Can anyone help?

0 Karma
1 Solution

Legend

For some reason, this question will not let me add an answer, so I am adding a comment...

The problem is that your regex is not properly capturing the data. Try this instead:

inputs.conf

[monitor://c:\testlogs\]
host_regex = \\(.*?)_\d+\.csv$

Here is the description in the documentation

View solution in original post

Legend

For some reason, this question will not let me add an answer, so I am adding a comment...

The problem is that your regex is not properly capturing the data. Try this instead:

inputs.conf

[monitor://c:\testlogs\]
host_regex = \\(.*?)_\d+\.csv$

Here is the description in the documentation

View solution in original post

Hi Lguinn,

That's working great thanks except for one thing - it reports the host as 'testlogs\B0292T01', is there anyway to get it to not pull in the 'testlogs\'.

Thanks.

0 Karma

Legend

Try this instead:

host_regex = \\testlogs\\(.*?)_\d+\.csv$

Hi Lguinn,

That's working great. Thanks a lot.

Best Regards.

0 Karma

Splunk Employee
Splunk Employee

Try:
host_regex = testlogs\(.*?)_\d+.csv$

0 Karma

Hello Esix,

I just tried that and unfortunately it does not appear to be working - Splunk is using the servers hostname instead.

Any other ideas?

0 Karma

Super Champion

hmm.. can't really put the regex here as this forum somehow escapes "\" characters
so attaching an image below
alt text

0 Karma