Getting Data In

Why does set host by 'regex on path' work differently between Splunk Web and inputs.conf?

evelenke
Contributor

Hi Splunkers,

I have a set of directories (syslog collector), created for logs from remote hosts and containing hostnames in the name. While indexing in Splunk, I need all the data to be mapped to the same source (source=myhosts) to avoid creating new source for new files.
Also I need to extract hostnames from the path, so I use 'regex on path'.

The issue is that when I create Input via Splunk Web, the regex works just fine and my host=remotehostname, but I can't declare source value.
When I create input in inputs.conf with the same regex, my host=splunkhostname.

The regex looks like this:

.*\/work\/SPLUNK\_HOSTS\_\/(?\S[^\/]+).*

How can I fix it?

Thank you in advance.

0 Karma

gokadroid
Motivator

Can you try to see if host_segment is what you are looking for to create the host names based on the directory paths. For example in below the host is picked up from 4th element in the directory path as abc-host*:

inputs.conf
[monitor:///myLogDirectory/myRegionDirectory/myEnvDirectory/abc-host*/xyz.log]
host_segment = 4
0 Karma

evelenke
Contributor

Hi,

strange , but host_segment doesn't work from inputs.conf neither...
Strictly declared host (host=mydevicename) works fine.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you overriding the source attribute in inputs.conf and then host = .*\/work\/SPLUNK\_HOSTS\_\/(?\S[^\/]+).* is not working? Mind sharing your inputs.conf entry (full)?

0 Karma

evelenke
Contributor

Hi,

Here's my stanzas. Sorry, but I have to change names

[monitor:///work/VENDOR_DEVICES_/mydevice.mydomain.com]
disabled = false
index = vendor
source = vendor_model
host_regex = .*DEVICES\_\/(?<host>\S[^\/]+).*

The source value is unique for this type of devices

Also I had to mention the folder structure inside each folder like the following:

/work/VENDOR_DEVICES_/mydevice.mydomain.com/2016/2016-12/2016-12-28/mydevice.mydomain.com_20161228.txt
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...