Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

host_regex is not working extract host name from windows path

splunked38
Communicator
‎09-13-2013 02:57 AM

All,

I'm trying to use host_regex to extract host names for input

Background:

  • All logs are copied to a windows fileshare (installing agents on the servers are out of scope
  • it would make life easier) logs are in different folder (split due as they all have different timezones - servers cannot use UTC/GMT)
  • logs are in the following locations and format:
    C:\foo\bar\Splunk\EET\fihel01srv001-Mon.log
    C:\foo\bar\Splunk\CET\frpar01srv001-Mon.log
    C:\foo\bar\Splunk\WET\uklon01srv001-Mon.log
    etc...

Aim

to get:

fihel01srv001

frpar01srv001

uklon01srv001

Attempted:

  • the following (unoptimised) search works :
    index=test | rex field=source ".*?(?[a-z]+[0-9]+[a-z]+[0-9]+)-.+\.log$"

but...

when putting this into inputs.conf, it doesn't work

host field is set to the server that is indexing the logs

ie: host=splunkserver

inputs.conf:
[monitor://C:\foo\bar\Splunk\WET\.log]
disabled = false
followTail = 0
index = test
sourcetype = testlogs
crcSalt=
host_regex = ".?([a-z]+[0-9]+[a-z]+[0-9]+)-.+\.log$"

BTW: also open to other alternative solutions...

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

splunked38
Communicator
‎09-16-2013 02:10 AM

ok, the answer is...remove the quotes!

The following works:

 host_regex =_*?([a-z]+[0-9]+[a-z]+[0-9]+)-.+\\.log$

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

splunked38
Communicator
‎09-16-2013 02:10 AM

ok, the answer is...remove the quotes!

The following works:

 host_regex =_*?([a-z]+[0-9]+[a-z]+[0-9]+)-.+\\.log$
0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎09-13-2013 06:41 AM

I'm not sure how many slashes, but this might work for your host_regex in inputs.conf

\\\\\([a-z]+[0-9]+[a-z]+[0-9]+)-.+.log$"

0 Karma
Reply
Solved! Jump to solution

splunked38
Communicator
‎09-16-2013 02:09 AM

Sorry, this doesn't work, even without the quotes. Using the regex (.+), the path is prefixed with 'source:' therefore the regex will fail. The solution below.

0 Karma
Reply
Solved! Jump to solution

antlefebvre
Communicator
‎09-13-2013 06:21 AM

Per

Splunk inputs.conf doc

the host_regex extracts from the path, not the filename.

Alternate solution. Put each server log in it's own folder and use host_regex or easier use host_segment.

0 Karma
Reply
Solved! Jump to solution

splunked38
Communicator
‎09-16-2013 02:08 AM

Actually, the path includes the file name, you can test this by using the following regex: (.+)

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...
li.common.scroll-to.top