Can you help me a make regular expression for inpu...

meet_vadaria · ‎11-02-2018

Hi,

I am collecting all log file to a syslog server where I have a Splunk forwarder installed. To override source of syslog server to actual source. I'm trying to create a regular expression, but I can't figure it out. I am using host_regex inside input.conf to do this. Below is an example of my configurations:

input.conf.
[monitor:///var/log/syslog/]
host_regex=.*(\d+-\d+-\d+-\d+)*

my directory structure is, /var/log/syslog//*.log

I have a directory for a specific host with a hostname, and, under that, I am receiving all logs from that specific host.
How can I get that directory name in the host_regex? So in Splunk as a source I can get the actual hostname and overrider syslog server hostname.

Thanks in advance!

markusspitzli · ‎02-19-2019

Sounds like our configuration but we used the host_segment.
The filestructure has the following naming:
BASEDIR/uc/INDEX/HOSTNAME/SOURCETYPE/LOGFILE

[monitor:///var/log/rsyslog-splunk/uc/vmware-esxilog/*/vmw-syslog/*.log]
host_segment = 6

It works very well and we dont need to regex the hostname.

burwell · ‎11-02-2018

Hello @meet_vadaria.

I recommend that you verify your regex on the website regex101.com

I would imagine you might want
host_regex=.*(\d+-\d+-\d+-\d+)+ not host_regex=.*(\d+-\d+-\d+-\d+)* or else the host name might end up empty?

Can you help me a make regular expression for input.conf on a Splunk forwarder ?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...