Splunk Search

Regex help

Engager

Hi,

I am new to splunk and regex, sorry for poor knowledge.

I am trying to extract hostname from
/var/log/syslog/2013/11/14/hostname_messages.log
So far I came up with [a-zA-Z]*([^]+).log$ but this result has _messages.log.
How Can I get rid of this part?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee
.+/(?<hostname>.+?)\_

Splunk Employee
Splunk Employee

No problem. Please check the checkmark next to this post to accept the answer. Thanks!

0 Karma

Engager

This works like a charm!!
So this is using variable.
Thanks a lot!

0 Karma

SplunkTrust
SplunkTrust

This should work for you. This takes anything between last "/" and "_".

".*/(?<host>[^_]+)"

Path Finder

How about:

/([a-zA-Z0-9]+)_messages\.log

Assuming that 'hostname' only contains alpha-numeric characters.

Or, if your 'hostname' doesn't include underscores:

/([^_/]+)_messages\.log

You need to 'escape' the period character, as it has a special meaning in regex.

Path Finder

Are you trying to extract the hostname as part of an input, in inputs.conf or are you trying the use the 'rex' command in the Search App?

0 Karma