REGEX = \w+\s+\d+\s+\d{2}:\d{2}:\d\d\s+Message\sforwarded\sfrom\s(.*?):

MasterOogway · ‎07-13-2012

I have a hostname extraction TRANSFORMS.conf that works in v4.1.4, but since our upgrade to v4.3.2 it now doesn't extract the hostname. I have tried numerous changes to the REGEX on the new install but to no avail.

Example of incoming data:

<14>Jul 13 13:55:31 Message forwarded from hostname123:

Transforms.conf that worked:

[syslog-host-aix]

DEST_KEY = MetaData:Host

REGEX = \w+\s+\d+\s+\d{2}:\d{2}:\d\d\s+Message\sforwarded\sfrom\s([^:]+)

FORMAT = host::$1

I have tried many variations of the REGEX below in the Transforms.conf but none work.

[syslog-host-aix]

DEST_KEY = MetaData:Host

REGEX = .?Message\sforwarded\sfrom\s(\w):.* < ---- tried capturing entire line to no avail

REGEX = \w+\s+\d+\s+\d{2}:\d{2}:\d\d\s+Message\sforwarded\sfrom\s(.*?):

FORMAT = host::$1

Did something change in REGEX's from the older versions to the newer versions of Splunk? Any ideas of REGEX's to try ? I am on version 10 and counting.

hurricanelabs · ‎07-14-2012

This is working for me with without the log facility and level.

\w+\s\d+\s\d{1,2}:\d{1,2}:\d{1,2}\sMessage\sforwarded\sfrom\s([^:]+)

If you need to include it you could do:

\<\d{2}\>\w+\s\d+\s\d{1,2}:\d{1,2}:\d{1,2}\sMessage\sforwarded\sfrom\s([^:]+)

v4.1.4 REGEX works.....v4.3.2 Doesn't

REGEX = \w+\s+\d+\s+\d{2}:\d{2}:\d\d\s+Message\sforwarded\sfrom\s(.*?):

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

v4.1.4 REGEX works.....v4.3.2 Doesn't

REGEX = \w+\s+\d+\s+\d{2}:\d{2}:\d\d\s+Message\sforwarded\sfrom\s(.*?):

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability