Solved: Regex for host field inputs.conf

conner9 · ‎08-08-2012

Anyone with ideas on how to convert this rex search string into host_regex= input for the Host field, to be a host name in inputs.conf.

rex "(?P<App>\S+)__(?P<Loc>\S+)__(?P<Host>\S+)__(?P<PID>\d+)."

hexx · ‎08-09-2012

I would suggest:

host_regex = _+([^_]+)(?:__\d+)?\.\w+$

...but you should really test this out against some data samples before rolling it out to production.

View solution in original post

hexx · ‎08-09-2012

I would suggest:

host_regex = _+([^_]+)(?:__\d+)?\.\w+$

...but you should really test this out against some data samples before rolling it out to production.

conner9 · ‎09-11-2012

Seems to be working perfectly, Thanks so much for the help.

hexx · ‎08-09-2012

That's ok, when I said "path" I was being inclusive of the file name.

conner9 · ‎08-09-2012

Nah, I wish it was that easy, these are the actual file names that I'm trying to extract the hostname from.

hexx · ‎08-09-2012

This is helpful, but just to be clear : These strings are part of the path to the source file?

conner9 · ‎08-09-2012

I know it's a wreck, just looking for good ideas.

Here are some of the myriad of possibilities:

timing_manager_main____iccsfwint0001__13618.term
HOSTNAME=iccsfwin0001

target_diag_manager__optical__iccsint0001.log
HOSTNAME=iccsint0001

target_diag_manager__Video__main-frame-int1__8783.term

HOSTNAME=main-frame-int1

target_area_manager____main-frame-int2.log2
HOSTNAME=main-frame-int2

Timing_FEP____its-master2.log
HOSTNAME=its-master2

hexx · ‎08-08-2012

It's not really possible to answer your question without a data sample showing a string from which you want to extract the value of 'host'. Also, is that string going to be found in the 'source' field of the event?

Regex for host field inputs.conf

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life