Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Host Regex Help

edwardrose
Contributor
‎09-12-2017 08:48 AM

Hello All,

I really need to get good at regex and learn to do this myself but alas there are so many other things that seem to be a priority right now. I have the following log file names.

    log_SVR-IES-PAN-RAMA-01-20170806
    log_SVR-ORW-PAN-RAMA-01-20170806
    log_SVR-IES-PAN-RAMA-01-20170813
    log_SVR-ORW-PAN-RAMA-01-20170813
    log_SVR-IES-PAN-RAMA-01-20170820
    log_SVR-ORW-PAN-RAMA-01-20170820
    log_SVR-IES-PAN-RAMA-01-20170827
    log_SVR-ORW-PAN-RAMA-01-20170827
    log_SVR-IES-PAN-RAMA-01-20170903
    log_SVR-ORW-PAN-RAMA-01-20170903
    log_SVR-IES-PAN-RAMA-01-20170910
    log_SVR-ORW-PAN-RAMA-01-20170910
    log_SVR-IES-PAN-RAMA-01
    log_SVR-ORW-PAN-RAMA-01

I am monitoring the log files with the following stanza:

[monitor:///var/log2/gns/palo/log_*]
index = panlog
host_regex = (?<=log_).+-01
sourcetype = pan:log
no_appending_timestamp = true

So the question is will the host_regex just give the host name svr-orw|ies-pan-rama-01? According to the regexr.com/v1 site it should but I want to make sure it is correct before I implement it.

THanks
ed

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-12-2017 09:28 AM

Splunk uses the first capturing group as the host name so you will need something like host_regex = log_(.+)-01.

---
If this reply helps you, Karma would be appreciated.
Reply

edwardrose
Contributor
‎09-12-2017 09:38 AM

But I do not want the "log_" section so I assume that SVR(.+)-01 will work for just the hostname?

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-12-2017 11:21 AM

The part of the pattern that matches between '(' and ')' (i.e. the capturing group) will be used, so rich's answer is correct. 'log_' is not inside the capturing group, and neither is '-01', so they will just be used to match.
If the '-01' part can vary, you can use log_(.+)-\d+. That would also match log_xxxxxxx-02, for example

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎09-12-2017 09:02 AM

Do the file names always follow that format? E.g.

log_SVR-\w{3}-\w{3}-\w{4}-\d{2}-?

0 Karma
Reply

edwardrose
Contributor
‎09-12-2017 09:23 AM

Yes they will always have that format, but all I need is what is between log_ and the -(date stamp)
Which I think I can get with SVR-\w{3}-\w{3}-\w{4}-\d{2}, correct?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...