Splunk Search

Can you help me a make regular expression for input.conf on a Splunk forwarder ?

meet_vadaria
Engager

Hi,

I am collecting all log file to a syslog server where I have a Splunk forwarder installed. To override source of syslog server to actual source. I'm trying to create a regular expression, but I can't figure it out. I am using host_regex inside input.conf to do this. Below is an example of my configurations:

input.conf.
[monitor:///var/log/syslog/]
host_regex=.*(\d+-\d+-\d+-\d+)*

my directory structure is, /var/log/syslog//*.log

I have a directory for a specific host with a hostname, and, under that, I am receiving all logs from that specific host.
How can I get that directory name in the host_regex? So in Splunk as a source I can get the actual hostname and overrider syslog server hostname.

Thanks in advance!

0 Karma

markusspitzli
Communicator

Sounds like our configuration but we used the host_segment.
The filestructure has the following naming:
BASEDIR/uc/INDEX/HOSTNAME/SOURCETYPE/LOGFILE

[monitor:///var/log/rsyslog-splunk/uc/vmware-esxilog/*/vmw-syslog/*.log]
host_segment = 6

It works very well and we dont need to regex the hostname.

0 Karma

burwell
SplunkTrust
SplunkTrust

Hello @meet_vadaria.

I recommend that you verify your regex on the website regex101.com

I would imagine you might want
host_regex=.*(\d+-\d+-\d+-\d+)+ not host_regex=.*(\d+-\d+-\d+-\d+)* or else the host name might end up empty?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...