Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: why host_regex is not setting correct hostname
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to set hostnames extracting them from filenames
I'm using host_regex with this regex:
host_regex = (myserver[1-2].mydomain.com)\W+\w+\.s$
The paths are in this form:
/path/to/files/mail.text.myserver1.mydomain.com.@20141009T084808.s
/path/to/files/mail.text.myserver2.mydomain.com.@20141009T104107.s
I have tried different rex all matching correctly "myserver[1-2].mydomain.com" but in Splunk hostname is always set to default value (Splunk server hostname)
Anyone have some ideas to get it working?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, the problem is now clear with your provided input stanza.
From the inputs.conf.spec file:
host_regex = <regular expression>
* If specified, <regular expression> extracts host from the path to the file for each input file.
* Detail: This feature examines the source key, so if source is set
explicitly in the stanza, that string will be matched, not the original filename.
* Specifically, the first group of the regex is used as the host.
* If the regex fails to match, the default "host =" attribute is used.
* If host_regex and host_segment are both set, host_regex will be ignored.
* Defaults to unset.
host_regex uses the source value to extract from. However, you're overriding the value that the file-input code would provide with source=cisco:esa, removing the information you want host_regex to use. You should probably just remove the source=cisco:esa line.
This is anti-recommended in the spec as well.
source = <string>
* Sets the source key/field for events from this input.
* NOTE: Overriding the source key is generally not recommended. Typically, the
input layer will provide a more accurate string to aid in problem
analysis and investigation, accurately recording the file from which the data
was retreived. Please consider use of source types, tagging, and search
wildcards before overriding this value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, the problem is now clear with your provided input stanza.
From the inputs.conf.spec file:
host_regex = <regular expression>
* If specified, <regular expression> extracts host from the path to the file for each input file.
* Detail: This feature examines the source key, so if source is set
explicitly in the stanza, that string will be matched, not the original filename.
* Specifically, the first group of the regex is used as the host.
* If the regex fails to match, the default "host =" attribute is used.
* If host_regex and host_segment are both set, host_regex will be ignored.
* Defaults to unset.
host_regex uses the source value to extract from. However, you're overriding the value that the file-input code would provide with source=cisco:esa, removing the information you want host_regex to use. You should probably just remove the source=cisco:esa line.
This is anti-recommended in the spec as well.
source = <string>
* Sets the source key/field for events from this input.
* NOTE: Overriding the source key is generally not recommended. Typically, the
input layer will provide a more accurate string to aid in problem
analysis and investigation, accurately recording the file from which the data
was retreived. Please consider use of source types, tagging, and search
wildcards before overriding this value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks jrodman,
removing source=cisco:esa solved the issue
It was there because I took the starting inputs.conf from the app README file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I'll try to contact the app author.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm kind of confused about \W+\w+\.s$ I guess \W will match the .@ and the \w will match the timestamp?
I suppose a regex tester shows a successful match anyway. Probably this is not a regex problem.
Please show the whole input stanza, and let us know the sourcetype that is being applied to the data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you're correct: \W is for matching .@ and \w for the timestamp and a regex tester shows succeful match.
The sourcetype is cisco-esa because I'm using the app "Add-on for Cisco ESA"
This is the input stanza I'm using:
[monitor:///path/to/file]
source = cisco:esa
sourcetype = cisco:esa
host_regex = (myserver[1-2].mydomain.com)\W+\w+\.s$
disabled = false
host =
I'm not sure about that "host =" but is added by the web GUI. I already tried to remove it from the inputs.conf file but nothing changed
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
