Scribd
Upload
56 views

Solved - Extracting Hostname From Filename - Inputs - Conf On... - Splunk Community

Uploaded by

Vinu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
56 views

Solved - Extracting Hostname From Filename - Inputs - Conf On... - Splunk Community

Uploaded by

Vinu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

23/01/2023, 20:01 Solved: Extracting hostname from filename - inputs.conf on...

- Splunk Community

COVID-19 Response SplunkBase Developers Documentation

COMMUNITY
Sign In

Search this forum board Ask a Question

Community / Splunk Answers / Splunk Administration / Getting Data In Options



/ Extracting hostname from filename - inputs.conf on...

 Solved! Jump to solution

Extracting hostname from filename - inputs.conf


on UF - host_regex issue
dewald13 ‎03-20-2013 05:06 PM
Path Finder

Having an issue with bluecoat logs that are dropped on a server with a UF. Attempting to
extract the hostname with the following:

host_regex = /logs/rsyslog/bclogs/(.*)-\d{6}[.]log[.]gz

Checked this regex in regexr and it works perfectly.

Sample file names - Host format (ABC-G-PXYW-XXX)

/logs/rsyslog/bclogs/ABC-G-PXYW-002-032016.log.gz
/logs/rsyslog/bclogs/AEC-G-PXYW-001-032016.log.gz
/logs/rsyslog/bclogs/ABC-G-PXYW-002-032014.log.gz
/logs/rsyslog/bclogs/DEF-G-PXYW-003-032016.log.gz

The host is coming in set as the name of the log server, rather than the name.

Thoughts?

Tags:
host_regex hostname inputs.conf universal-forwarder

https://community.splunk.com/t5/Getting-Data-In/Extracting-hostname-from-filename-inputs-conf-on-UF-host-regex/m-p/69131 1/7
23/01/2023, 20:01 Solved: Extracting hostname from filename - inputs.conf on... - Splunk Community

 2 Karma COVID-19 Response SplunkBase Developers Documentation

COMMUNITY
Sign In
Reply

1 Solution

 Solution

bwooden ‎03-21-2013 10:44 AM


Splunk Employee

 If you've restarted your forwarder and don't have any host overrides on your
parser/indexer, your regex should work. As should something like this:

host_regex=/logs/rsyslog/bclogs/([\w-]+)(?=-\d{6}\.log\.gz)

View solution in original post

 1 Karma

Reply

All forum topics  Previous Topic Next Topic 

 Solution

bwooden ‎03-21-2013 10:44 AM


Splunk Employee

 If you've restarted your forwarder and don't have any host overrides on your
parser/indexer, your regex should work. As should something like this:

host_regex=/logs/rsyslog/bclogs/([\w-]+)(?=-\d{6}\.log\.gz)

https://community.splunk.com/t5/Getting-Data-In/Extracting-hostname-from-filename-inputs-conf-on-UF-host-regex/m-p/69131 2/7
23/01/2023, 20:01 Solved: Extracting hostname from filename - inputs.conf on... - Splunk Community

COVID-19 Response SplunkBase Developers Documentation


 1 Karma
COMMUNITY
Sign In

Reply

dewald13 ‎03-21-2013 12:06 PM


Path Finder

That worked with the "/"

Thanks!

 0 Karma

Reply

dshpritz ‎03-21-2013 06:08 AM


SplunkTrust

There may also be some metadata rewrites happening, depending on the sourcetype (for
example, the syslog sourcetype has built in rewrites).

 0 Karma

Reply

dshpritz ‎03-21-2013 10:39 AM


SplunkTrust

https://community.splunk.com/t5/Getting-Data-In/Extracting-hostname-from-filename-inputs-conf-on-UF-host-regex/m-p/69131 3/7
23/01/2023, 20:01 Solved: Extracting hostname from filename - inputs.conf on... - Splunk Community

Just for a sanity check, has the UFResponse


COVID-19 been restarted? The regex
SplunkBase looks correct.
Developers The other
Documentation
thought is that the system doing the parsing (Heavy Forwarder or Indexer) is overwriting
COMMUNITY
it. Sign In

 0 Karma

Reply

dewald13 ‎03-21-2013 09:49 AM


Path Finder

Try this one more time.


"^\/logs\/rsyslog\/bclogs\/(.*)-d{6}[.]log[.]gz"

 0 Karma

Reply

dshpritz ‎03-21-2013 09:39 AM


SplunkTrust

You need two backlashes for it to display correctly on Splunkbase:


host_regex = ^/logs/rsyslog/bclogs/(.*)-\d{6}[.]log[.]gz

(bitten me tons of times)

 1 Karma

Reply

https://community.splunk.com/t5/Getting-Data-In/Extracting-hostname-from-filename-inputs-conf-on-UF-host-regex/m-p/69131 4/7
23/01/2023, 20:01 Solved: Extracting hostname from filename - inputs.conf on... - Splunk Community

COVID-19 Response SplunkBase Developers Documentation

dewald13
COMMUNITY ‎03-21-2013 09:39 AM
Path Finder Sign In

the site is ripping out the backslashes...

"^\/logs\/rsyslog\/bclogs\/(.*)-\d{6}[.]log[.]gz"

 0 Karma

Reply

dewald13 ‎03-21-2013 07:47 AM


Path Finder

This is the current inputs.conf on the Universal


Forwarder
index = proxysg
sourcetype = squid
ignoreOlderThan = 60m
disabled = false
host_regex = /logs/rsyslog/bclogs/(.*)-\d{6}[.]log[.]gz

 0 Karma

Reply

kristian_kolb ‎03-20-2013 06:28 PM


Ultra Champion

You're not changing the source are you? See below.

https://community.splunk.com/t5/Getting-Data-In/Extracting-hostname-from-filename-inputs-conf-on-UF-host-regex/m-p/69131 5/7
23/01/2023, 20:01 Solved: Extracting hostname from filename - inputs.conf on... - Splunk Community

COVID-19 Response SplunkBase Developers Documentation


host_regex = <regular expression>
* If specified, COMMUNITY
<regular expression> extracts host from the path to the
Sign In
file for each input file.
* Detail: This feature examines the source key, so if source is set
explicitly in the stanza, that string will be matched, not the ori
ginal filename.
* Specifically, the first group of the regex is used as the host.
* If the regex fails to match, the default "host =" attribute is used.
* If host_regex and host_segment are both set, host_regex will be ignore
d.

Please post the full inputs.conf stanza for the bc logs.

/k

 0 Karma

Reply

Get Updates on the Splunk Community!

Fusing Intelligence Into Splunk Soar


 Watch this session to learn how Splunk® Intelligence Management ingests, normalizes
and prioritizes ...

New Year, New Special: Review a Security Product & Receive a $25 Visa Card… Plus an ...
We’re excited to announce a new Splunk Love special for 2023: Review Splunk Enterprise
Security, Cloud, or ...

NEW! Splunk APM Autodetect Improves Accuracy and Reduces Manual Effort for Service
...
New Autodetect, from Splunk Application Performance Monitoring (APM), uses machine
learning to significantly ...

Read our Community Blog >

https://community.splunk.com/t5/Getting-Data-In/Extracting-hostname-from-filename-inputs-conf-on-UF-host-regex/m-p/69131 6/7
23/01/2023, 20:01 Solved: Extracting hostname from filename - inputs.conf on... - Splunk Community

Related Tags COVID-19 Response SplunkBase Developers Documentation

COMMUNITY
splunk-enterprise universal-forwarder props.conf forwarder windows indexing
Sign In
timestamp inputs.conf indexer csv sourcetype json syslog transforms.conf

index monitor heavy-forwarder configuration splunk-cloud inputs rest-api

splunk forwarding host windows-event-logs filter parsing rest timezone

line-breaking

View All 

 

Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents

Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the
United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.

https://community.splunk.com/t5/Getting-Data-In/Extracting-hostname-from-filename-inputs-conf-on-UF-host-regex/m-p/69131 7/7

You might also like