Per this document in splunk (http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments), i'd like to change value of a default field, "host" during index time.
There are two fields, fielda="vala" and fieldb="valb" from log event data I need to refer to.
And format of new host value is FORMAT = "host::$1.$2".
I worte 3 regex:
REGEX = fielda="(?P<AAA>[^"]*)"|fieldb="(?P<BBB>[^"]*)"
$2 is always "" and host is set to 'vala.'.
REGEX = fielda="(?P<AAA>[^"]*)".*(fieldb="(?P<BBB>[^"]*)")?
$2 is always "" and host is set to 'vala.'.
REGEX = fielda="(?P<AAA>[^"]*)".*fieldb="(?P<BBB>[^"]*)"
I got expected value, "vala.valb".
In summary, splunk regex performs non-greedy matching. How can I match all paths and get $2 filled?
Thanks,
Kevin
... View more