We have got few servers which could come with or without FQDN in its name. I'm not sure how Splunk UF generates the hostname of the servers, but it seems not consistent.
So have to filter serverclass to accomodate this
1. Is Serverclass able to accomodate proper regex in whitelist?
2. Help with regex below
# below is sample hostnames myhost.co.uk myhost myhost.internal.co.uk myhostIncorrect.co.uk somemyhostidontwant.co.uk
I want to extract only
myhost.co.uk myhost myhost.internal.co.uk
myhost(?:\.)?.* but it is capturing
myhostIncorrect.co.uk which I don't require. How to make it strict so it collects
myhost && myhost\.* in a single expression?
Yes PCRE regex is supported in whitelists and blacklists.
* These patterns are PCRE regular expressions, with the following aids for easier entry: * You can specify simply '.' to mean '\.' * You can specify simply '*' to mean '.*' * Matches are always case-insensitive; you do not need to specify the '(?i)' prefix.
Also you don’t need the ^ because all splunk regexes are anchored to the start.
You could match al the same matches in your regex101 example with the following:
By the way, see this answer for how splunk determines the forwarder name:
hi jKat, thanks for your reply. I had seen the above spec but still not able to my question. I can see how to override the hostname, but I was looking something more intrinsic on "How Splunk determines" the hostname on startup. Does it use something like
hostname -s or
hostname or something internal ? This way I could write a script to determine the expected hostnames of the client.
Regarding, regex unfortunately your above example
myhost* will capture
myhostIncorrect.co.uk which is not required.
Yes it’s whatever is returned by hostname command on install. See this answer for a deeper explanation:
For your regex, you should probably use a blacklist in conjunction with a whitelist. Today you don’t want myhostWrongName tomorrow you don’t want myhostSomeOtherName and one regex won’t cover all the scenarios you’ll come up with. So just use * and . and whitelists in conjunction with blacklists.
It's best to be specific as you can be with regex. If you look for the end of line termination ("$") then you can account for the optional domain levels :
whitelist.0 = myhost(?:(?:\.internal)?\.co\.uk)?$