- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me build a regex that would parse %ho...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me build a regex that would parse %host% from the following log directories?
I am trying to use host_regex in input.conf
I have log directories as,
/var/log/rsyslog/%year%/%month%/%date%/%host%/syslog
$host$ can be any of following three,
abc-i-1234adfd-foo1
xx.xx.xx.xx
ip-xx-xx-xx-xx.ec2.internal
thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
I think the easiesst way is if you use host_segment.
For you this would be
host_segment = 7
See: https://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf
If set to N, Splunk software sets the Nth "/"-separated segment of the path as 'host'.
For example, if host_segment=3, the third segment is used.
Cheerz,
Björn
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried host_segment = 7. I was actually using that. It was working fine until I had %host% = ip-xx-xx-xx-xx.ec2.internal or abc-i-1234adfd-foo1 .
now, I got this new condition where I am getting ip (XX.XX.XX.XX) in %host%. in this specific case, splunk forwarder is not able to extract IP from that field and it's sending logs with default host (splunk forwarder's hostname) field.
as it's not working, I want to try out host_regex and see if that works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try any one of this in your inputs.conf for host_regex, it helps if you can post the year/month/data format as well to test the regex...
host_regex = /var/log/rsyslog/\d+/\d+\/\d+/([\w\d\\.-]+)\/syslog
host_regex = \/var\/log\/rsyslog\/\d+\/\d+\/\d+\/([\w\d\\.-]+)\/syslog
lookup this Splunk doc..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried that. it's working only with following 2 %host% values
abc-i-1234adfd-foo1
ip-xx-xx-xx-xx.ec2.internal
it's not able to extract 3rd value which is xx.xx.xx.xx (IP)
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
