I have concocted a basic regular expression to find all Splunk indexes from matching hosts. The idea of the regex is to find all indexes by hosts that:

1. Begin with "us" or "ln"
2. The third character (after us or ln) can be any character
3. The fourth character is an x
4. The remaining characters can be any character or number
5. It can also be followed by .intranet.local (but is optional)

\

(Also, sourcetype should be from syslog)

Splunk searches and regexes I have tried are:

(Note, splunk isn't letting me post back slashes in my code... even if I use quadruple backslashes to try and escape, so imagine the forward slashes below are back slashes)

• sourcetype=syslog host="(?:us|ln)/w*/./w/./w"
• sourcetype=syslog host_regex="(?:us|ln)/w*/./w/./w"
• sourcetype=syslog regex host="(?:us|ln)/w*/.w/w*/./w"

If I remove the regex section, and do a search with host="*", I receive indexes with host fields such as:

uslx1099.intranet.local

uslx508.intranet.local

mylx091.intranet.local

usax555

lnax01b

Any assistance or clarification as to what I may be doing wrong would be greatly appreciated.

Thanks,