Extract host from an event
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Extract host from an event
This example creates a custom regular expression match to extract the host values from a specific source type.
etc/bundles/local/regexes.conf
First, create a regular expression to match the host type and add it to regexes.conf
[my_custom_host_finder] DEST_KEY = MetaData:Host REGEX = \d\d\:\d\d\:\d\d\s+\[?([\w\.\-]+)\]?\s FORMAT = host::$1
Attributes
You may need to set one or more of these in regexes.conf.
- PREPEND
String to put in front of the set value at DEST_KEY . This would be the meta data name you want users to search for, such as host:: or pid , but you must also set WRITE_META to be True for it to be Splunkable from the interface.
- FORMAT
How to place matching regular expression section(s) into each event.
- REGEX
The regular expression. It can have more than one matching section.
- SOURCE_KEY
A parallel to DEST_KEY. This is where Splunk should look for matches. The default is _raw , the stream of data passing through the pipeline. You can also use any value defined as DEST_KEY or built in, such as !MetaData:Host or pid from the above example.
- WRITE_META
A boolean value - True or False - that tells Splunk whether or not to display the set value in search results along with host:: , source:: and sourcetype:: . Either way, users can search for the value.
etc/bundles/local/props.conf
Then map the regex to the source type in props.conf.
[my_custom_sourcetype] REGEXES = my_custom_host_finder
Attributes
- REGEXES
String
Default: There is no default set.
Specifies a comma-delimited list of regular expression entries in regexes.conf.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.