Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

serverclass and regex help for wildcard

koshyk
Super Champion
‎12-03-2017 05:35 AM

We have got few servers which could come with or without FQDN in its name. I'm not sure how Splunk UF generates the hostname of the servers, but it seems not consistent.
So have to filter serverclass to accomodate this

Two questions
1. Is Serverclass able to accomodate proper regex in whitelist?
2. Help with regex below

# below is sample hostnames
myhost.co.uk
myhost
myhost.internal.co.uk
myhostIncorrect.co.uk
somemyhostidontwant.co.uk

I want to extract only

myhost.co.uk
myhost
myhost.internal.co.uk

https://regex101.com/r/qgKCxP/1
I'm using myhost(?:\.)?.* but it is capturing myhostIncorrect.co.uk which I don't require. How to make it strict so it collects myhost && myhost\.* in a single expression?

0 Karma
Reply

wenthold
Communicator
‎12-04-2017 06:35 AM

It's best to be specific as you can be with regex. If you look for the end of line termination ("$") then you can account for the optional domain levels :

whitelist.0 = myhost(?:(?:\.internal)?\.co\.uk)?$
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-03-2017 06:29 AM

Yes PCRE regex is supported in whitelists and blacklists.

From serverass.conf.spec

 * These patterns are PCRE regular expressions, with the following aids for easier entry:
 * You can specify simply '.' to mean '\.'
 * You can specify simply '*' to mean '.*'
 * Matches are always case-insensitive; you do not need to specify the '(?i)' prefix.

Also you don’t need the ^ because all splunk regexes are anchored to the start.

You could match al the same matches in your regex101 example with the following:

whitelist.0=myhost*

By the way, see this answer for how splunk determines the forwarder name:

https://answers.splunk.com/answers/171928/how-can-i-control-the-clients-host-name-that-appea.html

Reply

koshyk
Super Champion
‎12-03-2017 07:16 AM

hi jKat, thanks for your reply. I had seen the above spec but still not able to my question. I can see how to override the hostname, but I was looking something more intrinsic on "How Splunk determines" the hostname on startup. Does it use something like hostname -s or hostname or something internal ? This way I could write a script to determine the expected hostnames of the client.

Regarding, regex unfortunately your above example myhost* will capture myhostIncorrect.co.uk which is not required.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-03-2017 08:02 AM

Yes it’s whatever is returned by hostname command on install. See this answer for a deeper explanation:

https://answers.splunk.com/answers/154999/how-can-i-change-the-default-hostname-in-splunk.html

For your regex, you should probably use a blacklist in conjunction with a whitelist. Today you don’t want myhostWrongName tomorrow you don’t want myhostSomeOtherName and one regex won’t cover all the scenarios you’ll come up with. So just use * and . and whitelists in conjunction with blacklists.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...