Regex help

ytanaka · ‎11-15-2013

Hi,

I am new to splunk and regex, sorry for poor knowledge.

I am trying to extract hostname from
/var/log/syslog/2013/11/14/hostname_messages.log
So far I came up with [a-zA-Z]*([^]+).log$ but this result has _messages.log.
How Can I get rid of this part?

dmaislin_splunk · ‎11-15-2013

.+/(?<hostname>.+?)\_

dmaislin_splunk · ‎11-15-2013

No problem. Please check the checkmark next to this post to accept the answer. Thanks!

ytanaka · ‎11-15-2013

This works like a charm!!
So this is using variable.
Thanks a lot!

somesoni2 · ‎11-15-2013

This should work for you. This takes anything between last "/" and "_".

".*/(?<host>[^_]+)"

gmor · ‎11-15-2013

How about:

/([a-zA-Z0-9]+)_messages\.log

Assuming that 'hostname' only contains alpha-numeric characters.

Or, if your 'hostname' doesn't include underscores:

/([^_/]+)_messages\.log

You need to 'escape' the period character, as it has a special meaning in regex.

gmor · ‎11-15-2013

Are you trying to extract the hostname as part of an input, in inputs.conf or are you trying the use the 'rex' command in the Search App?

Regex help

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Regex help

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers