I have concocted a basic regular expression to find all Splunk indexes from matching hosts. The idea of the regex is to find all indexes by hosts that:
\
(Also, sourcetype should be from syslog)
Splunk searches and regexes I have tried are:
(Note, splunk isn't letting me post back slashes in my code... even if I use quadruple backslashes to try and escape, so imagine the forward slashes below are back slashes)
sourcetype=syslog host="(?:us|ln)/w*/./w/./w"
sourcetype=syslog host_regex="(?:us|ln)/w*/./w/./w"
sourcetype=syslog regex host="(?:us|ln)/w*/.w/w*/./w"
If I remove the regex section, and do a search with host="*", I receive indexes with host fields such as:
uslx1099.intranet.local
uslx508.intranet.local
mylx091.intranet.local
usax555
lnax01b
Any assistance or clarification as to what I may be doing wrong would be greatly appreciated.
Thanks,
Try this
sourcetype=syslog | where match(host,"(?:us|ln)\wx.*")