This is a good job for host_regex
, which is an option in inputs.conf
. A host_regex
similar to this should work for newly indexed data. (It won't fix previously indexed data is my point)
[monitor:///home/user/files]
host_regex=^/home/user/files/([^_]+)_\d+\.log$
This should do it:
^/\w+/\w+/\w+/(?<server>\w+)_