Splunk Search

Add Data: Input Settings: Regular expression on path/filename to create Host field

masonmorales
Influencer

I'm adding a CSV using the "Add Data" GUI in Splunk 6.2. When I get to the Input Settings page, I have the option to specify a "Regular expression on path" to define the Host field. However, I have not been able to find any documentation on the correct syntax.

I'm not really concerned with the path of the file, so much as I am the file name in the path. So, for example, my file name is:

albatross-b8197b6cf24c.abcd.20150208.hardata.csv

I want to extract "b8197b6cf24c" and use that as the Host name. How would I specify the regular expression to do that from the Input Settings of the GUI?

Tags (5)
0 Karma
1 Solution

Lucas_K
Motivator

Based on a file location similar to /opt/input_data/albatross-b8197b6cf24c.abcd.20150208.hardata.csv

You could use something like

\/\S+-(?<host>.+)\.\w+\.+\S+\d+\.\w+\.csv

Someone can provide a neater regex but you get the idea.

Doco is here : http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Setadefaulthostforaninput

Edit inputs.conf
You can set up dynamic host extraction rules by directly configuring inputs.conf.

Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.

Use the host_regex attribute to override the host field with a value extracted through a regular expression:

[monitor://]
host_regex =
The regular expression extracts the host value from the filename of each input. The first capturing group of the regular expression is used as the host.

View solution in original post

Lucas_K
Motivator

Based on a file location similar to /opt/input_data/albatross-b8197b6cf24c.abcd.20150208.hardata.csv

You could use something like

\/\S+-(?<host>.+)\.\w+\.+\S+\d+\.\w+\.csv

Someone can provide a neater regex but you get the idea.

Doco is here : http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Setadefaulthostforaninput

Edit inputs.conf
You can set up dynamic host extraction rules by directly configuring inputs.conf.

Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.

Use the host_regex attribute to override the host field with a value extracted through a regular expression:

[monitor://]
host_regex =
The regular expression extracts the host value from the filename of each input. The first capturing group of the regular expression is used as the host.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...