Solved: What is the function of host_regex?

dkr3500 · ‎08-30-2018

In our Splunk forwarder, in the path: /opt/splunk/etc/apps/app01/default we have many stanzas such as:

[monitor:///export/data/syslog-ng/sentry*/messages]
disabled   = false
host_regex = /export/data/syslog-ng/(.*?)/messages
index      = asalg
sourcetype = cisco_asa

And under every stanza there is the following line:

host_regex = /export/data/syslog-ng/(.*?)/messages

I am very curious to know what the "/(.*?)/" means?

Thank you.

FrankVl · ‎08-30-2018

The host_regex is used to extract the hostname from the monitored path. In regular expressions (...) denotes a capturing group, so that is what actually captures the hostname, from that part of the path. The .*? means that it accepts all kinds of characters for the hostname, but using the ? it only captures things until it actually finds something that matches what comes after the ?. In this case the "/messages" bit.

View solution in original post

FrankVl · ‎08-30-2018

The host_regex is used to extract the hostname from the monitored path. In regular expressions (...) denotes a capturing group, so that is what actually captures the hostname, from that part of the path. The .*? means that it accepts all kinds of characters for the hostname, but using the ? it only captures things until it actually finds something that matches what comes after the ?. In this case the "/messages" bit.

dkr3500 · ‎08-30-2018

Thanks FriankVI !

What is the function of host_regex?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

What is the function of host_regex?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability