Splunk Search

Regex for Inputs.conf to grab hostname challenge

conner9
Path Finder

I am trying to pull the hostname from file names, for inputs.conf. The hostname is always between the second and third set of double underscore characters the rest of the file name can be multiple groups of letters & numbers.
The hostname can be made up of letters, numbers, and/or dashes
If the hostname has dashes then there can be two, three, or four segments to the name, but it is always the total of what's between the double underscore.
There can be multiple segments to the file name, both before and after the hostname.

Example:

field____field________field__________hostname_______field.log

Thoughts?

0 Karma
1 Solution

lguinn2
Legend

Try this

host_regex =__((?:[a-zA-Z0-9]|-)+)__

Which says "use the string between the double-underscores, if that string consists only of any combination of letters, numbers and dashes"

View solution in original post

lguinn2
Legend

Try this

host_regex =__((?:[a-zA-Z0-9]|-)+)__

Which says "use the string between the double-underscores, if that string consists only of any combination of letters, numbers and dashes"

Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...