Splunk Search

How to get the hostname from the logs?

kiran331
Builder

Hi,

I have the syslogs coming from 4 consoles in to single path, how to extract the hostnames in inputs.conf file?

log names;

mail.text.esa1.abc.iphmx.com.@20170413T093916.s
mail.text.esa2.abc.iphmx.com.@20170413T093916.s
mail.text.esa3.abc.iphmx.com.@20170413T093916.s
mail.text.esa4.abc.iphmx.com.@20170413T093916.s

required hostnames:
esa1.abc
esa2.abc
esa3.abc
esa4.abc

Tags (2)
0 Karma

muebel
SplunkTrust
SplunkTrust

Hi kiran331, You'll have to added a transform specification to the props config on the source or sourcetype. The transform could have a REGEX set to something like:

mail\.text\.([^\.]+\.[^\.])\.iphmx\.com

Taking the config from another answer: https://answers.splunk.com/answers/91933/can-you-override-host-for-an-input.html

#props
[source::mysource]
TRANSFORMS-ho=hostoverride

#transforms
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = mail\.text\.([^\.]+\.[^\.])\.iphmx\.com
FORMAT = host::$1

You might need to adjust the source specification in props (your source probably isn't named "mysource"), and the regex might need adjusting as well to be more generic depending if you have different patterns for the hostnames in the source.

This config will need to be set on the indexer, or whatever splunk instance does the processing pipeline on the events.

Please let me know if this answers your question! 😄

kiran331
Builder

I tried this one, it dint worked. Do I have to mention anything under host= in inputs.conf?

0 Karma

niketn
Legend

I think a + was missed in extracting expression:

^mail\.text\.([^\.]+\.[^\.]+)\.iphmx\.com

Following is the documentation for your use case with example: http://docs.splunk.com/Documentation/Splunk/latest/Data/Overridedefaulthostassignments#Example

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...