Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

host_regex is not working extract host name from windows path

splunked38
Communicator
‎09-13-2013 02:57 AM

All,

I'm trying to use host_regex to extract host names for input

Background:

  • All logs are copied to a windows fileshare (installing agents on the servers are out of scope
  • it would make life easier) logs are in different folder (split due as they all have different timezones - servers cannot use UTC/GMT)
  • logs are in the following locations and format:
    C:\foo\bar\Splunk\EET\fihel01srv001-Mon.log
    C:\foo\bar\Splunk\CET\frpar01srv001-Mon.log
    C:\foo\bar\Splunk\WET\uklon01srv001-Mon.log
    etc...

Aim

to get:

fihel01srv001

frpar01srv001

uklon01srv001

Attempted:

  • the following (unoptimised) search works :
    index=test | rex field=source ".*?(?[a-z]+[0-9]+[a-z]+[0-9]+)-.+\.log$"

but...

when putting this into inputs.conf, it doesn't work

host field is set to the server that is indexing the logs

ie: host=splunkserver

inputs.conf:
[monitor://C:\foo\bar\Splunk\WET\.log]
disabled = false
followTail = 0
index = test
sourcetype = testlogs
crcSalt=
host_regex = ".?([a-z]+[0-9]+[a-z]+[0-9]+)-.+\.log$"

BTW: also open to other alternative solutions...

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

splunked38
Communicator
‎09-16-2013 02:10 AM

ok, the answer is...remove the quotes!

The following works:

 host_regex =_*?([a-z]+[0-9]+[a-z]+[0-9]+)-.+\\.log$

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

splunked38
Communicator
‎09-16-2013 02:10 AM

ok, the answer is...remove the quotes!

The following works:

 host_regex =_*?([a-z]+[0-9]+[a-z]+[0-9]+)-.+\\.log$
0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎09-13-2013 06:41 AM

I'm not sure how many slashes, but this might work for your host_regex in inputs.conf

\\\\\([a-z]+[0-9]+[a-z]+[0-9]+)-.+.log$"

0 Karma
Reply
Solved! Jump to solution

splunked38
Communicator
‎09-16-2013 02:09 AM

Sorry, this doesn't work, even without the quotes. Using the regex (.+), the path is prefixed with 'source:' therefore the regex will fail. The solution below.

0 Karma
Reply
Solved! Jump to solution

antlefebvre
Communicator
‎09-13-2013 06:21 AM

Per

Splunk inputs.conf doc

the host_regex extracts from the path, not the filename.

Alternate solution. Put each server log in it's own folder and use host_regex or easier use host_segment.

0 Karma
Reply
Solved! Jump to solution

splunked38
Communicator
‎09-16-2013 02:08 AM

Actually, the path includes the file name, you can test this by using the following regex: (.+)

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...