Splunk Search

How to get the hostname from the logs?

kiran331
Builder

Hi,

I have the syslogs coming from 4 consoles in to single path, how to extract the hostnames in inputs.conf file?

log names;

mail.text.esa1.abc.iphmx.com.@20170413T093916.s
mail.text.esa2.abc.iphmx.com.@20170413T093916.s
mail.text.esa3.abc.iphmx.com.@20170413T093916.s
mail.text.esa4.abc.iphmx.com.@20170413T093916.s

required hostnames:
esa1.abc
esa2.abc
esa3.abc
esa4.abc

Tags (2)
0 Karma

muebel
SplunkTrust
SplunkTrust

Hi kiran331, You'll have to added a transform specification to the props config on the source or sourcetype. The transform could have a REGEX set to something like:

mail\.text\.([^\.]+\.[^\.])\.iphmx\.com

Taking the config from another answer: https://answers.splunk.com/answers/91933/can-you-override-host-for-an-input.html

#props
[source::mysource]
TRANSFORMS-ho=hostoverride

#transforms
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = mail\.text\.([^\.]+\.[^\.])\.iphmx\.com
FORMAT = host::$1

You might need to adjust the source specification in props (your source probably isn't named "mysource"), and the regex might need adjusting as well to be more generic depending if you have different patterns for the hostnames in the source.

This config will need to be set on the indexer, or whatever splunk instance does the processing pipeline on the events.

Please let me know if this answers your question! 😄

kiran331
Builder

I tried this one, it dint worked. Do I have to mention anything under host= in inputs.conf?

0 Karma

niketn
Legend

I think a + was missed in extracting expression:

^mail\.text\.([^\.]+\.[^\.]+)\.iphmx\.com

Following is the documentation for your use case with example: http://docs.splunk.com/Documentation/Splunk/latest/Data/Overridedefaulthostassignments#Example

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...