Hi,
I am collecting all log file to a syslog server where I have a Splunk forwarder installed. To override source of syslog server to actual source. I'm trying to create a regular expression, but I can't figure it out. I am using host_regex inside input.conf to do this. Below is an example of my configurations:
input.conf.
[monitor:///var/log/syslog/]
host_regex=.*(\d+-\d+-\d+-\d+)*
my directory structure is, /var/log/syslog//*.log
I have a directory for a specific host with a hostname, and, under that, I am receiving all logs from that specific host.
How can I get that directory name in the host_regex? So in Splunk as a source I can get the actual hostname and overrider syslog server hostname.
Thanks in advance!
Sounds like our configuration but we used the host_segment
.
The filestructure has the following naming:
BASEDIR/uc/INDEX/HOSTNAME/SOURCETYPE/LOGFILE
[monitor:///var/log/rsyslog-splunk/uc/vmware-esxilog/*/vmw-syslog/*.log]
host_segment = 6
It works very well and we dont need to regex the hostname.
Hello @meet_vadaria.
I recommend that you verify your regex on the website regex101.com
I would imagine you might want
host_regex=.*(\d+-\d+-\d+-\d+)+
not host_regex=.*(\d+-\d+-\d+-\d+)*
or else the host name might end up empty?