Hi,
I am new to Splunk and Regex. I have a folder : D:\SplunkForwarderCache\TimeSyncLogs\Linux. This folder contains files in the format [servername]_[currentdate]
I am using the universal forwarder to send logs to Splunk enterprise. I am able to successfully send the logs, however when I modify the inputs.conf to add the parameter host_regex to extract server name for the field host... it does not work
Details :
inputs.conf location for the universal forwarder : C:\Program Files\SplunkUniversalForwarder\etc\apps\search\local
Content in inputs.conf for the universal forwarder:
[monitor://D:\SplunkForwarderCache\TimeSyncLogs\Linux]
**host_regex=Linux\(\w+)_
disabled = false
index = timesynclinuxlogs
I have restarted the universal forwarder after this change but has no effect. When I do a new seach index=timesynclinuxlogs the host value is still the hostname of the universal forwarder and not the extracted value from the log file name.
Please help...
Hi neltonk,
please try with a different regex in host_regex parameter
Linux\\(\w+)_
or
D:\\SplunkForwarderCache\\TimeSyncLogs\\Linux\\(\w+)_
backslash is a special char for regexes and must be escaped.
Bye.
Giuseppe
The above issue seems to have resolved... the change seems to take a lot of time(added host_regex to inputs.conf made yesterday) to reflect on existing data(5 GB) in Splunk enterprise. Is my understanding correct?
I have also added the sourcetype parameter to the inputs.conf today... I can see it gets reflected for files uploaded today but has not changed for old files. Does the source type parameter change for old files or do I have to delete the monitor and index and ingest the data again?
No, The data that has been indexed previously will not have new sourcetype value.