Solved: What is the function of host_regex?

dkr3500 · ‎08-30-2018

In our Splunk forwarder, in the path: /opt/splunk/etc/apps/app01/default we have many stanzas such as:

[monitor:///export/data/syslog-ng/sentry*/messages]
disabled   = false
host_regex = /export/data/syslog-ng/(.*?)/messages
index      = asalg
sourcetype = cisco_asa

And under every stanza there is the following line:

host_regex = /export/data/syslog-ng/(.*?)/messages

I am very curious to know what the "/(.*?)/" means?

Thank you.

FrankVl · ‎08-30-2018

The host_regex is used to extract the hostname from the monitored path. In regular expressions (...) denotes a capturing group, so that is what actually captures the hostname, from that part of the path. The .*? means that it accepts all kinds of characters for the hostname, but using the ? it only captures things until it actually finds something that matches what comes after the ?. In this case the "/messages" bit.

View solution in original post

FrankVl · ‎08-30-2018

The host_regex is used to extract the hostname from the monitored path. In regular expressions (...) denotes a capturing group, so that is what actually captures the hostname, from that part of the path. The .*? means that it accepts all kinds of characters for the hostname, but using the ? it only captures things until it actually finds something that matches what comes after the ?. In this case the "/messages" bit.

dkr3500 · ‎08-30-2018

Thanks FriankVI !

What is the function of host_regex?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor