Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

host regex does not seem to work

stefan_radovano
Explorer
‎05-28-2014 01:19 AM

Hello all,

I am new to Splunk and I am currently evaluating 6.1. We collect logs from a bunch of devices (routersand switches) to a central syslog server (syslog-ng) and currently splunk runs on this server. I am trying to get it to detect the hostname of the device from the log filename but I can't seem to get it to work.

I went through a lot of the questions already posted here and it seems to me what I am doing should work, but it doesn't.

This is the entry I have in /apps/search/local/inputs.conf:

[monitor:///data/log/Core/*]
blacklist = \.(gz|bz2|z|zip|\d)$
disabled = false
followTail = 0
host =
whitelist = \.cnt.int.log$
host_regex = ^/data/log/Core/(.*)\.cnt\.int\.log$
sourcetype = cisco:ios

(this was added by the web gui)

The files look like this:

/data/log/Core/router1.cnt.int.log
/data/log/Core/router2.cnt.int.log
/data/log/Core/router3.cnt.int.log
/data/log/Core/router4.cnt.int.log
/data/log/Core/router4.cnt.int.log.1
/data/log/Core/router4.cnt.int.log.2.gz
/data/log/Core/router4.cnt.int.log.3.gz
/data/log/Core/router5.cnt.int.log
/data/log/Core/router6.cnt.int.log
/data/log/Core/router7.cnt.int.log

The regex looks fine to me, it checks out ok in RegExr. Despite all this, when I go to the Web gui, search and click on Data summary, I only see the syslog server hostname. There is none of those router1, router2 and so on hostnames which I expected to see.

Any idea why this is not working ?

Regards,
Stefan

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-28-2014 05:04 AM

I did not get a match in RegExr using your regex string and your sample file names. I had better luck with

\/data\/log\/Core\/(.*)\.cnt\.int\.log
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-28-2014 05:04 AM

I did not get a match in RegExr using your regex string and your sample file names. I had better luck with

\/data\/log\/Core\/(.*)\.cnt\.int\.log
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

stefan_radovano
Explorer
‎05-28-2014 05:38 AM

Well, this is weird, it works when I remove the anchor tags but I could SWEAR that I tried without too. And I am pretty sure I've seen examples in here with people using anchor tags. In any case, thank you!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-28-2014 05:30 AM

When I tried your regex in RegExr, I did not get a match until I removed the anchor tags (^$). Have you tried that?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

stefan_radovano
Explorer
‎05-28-2014 05:25 AM

The command above actually contains backslashes behind the dots at the end, they are just removed by this site apparently.

0 Karma
Reply
Solved! Jump to solution

stefan_radovano
Explorer
‎05-28-2014 05:24 AM

Unfortunately it's not working either. I don't think the escape is needed to be honest. For example, I can type this into the search bar:

index=main | rex field=source ^/data/log/Core/(?.*).cnt.int.log$

and it produces entries with the host extracted correctly, so the regex is fine. I just don't understand why it's not being applied on indexing.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...