host name extraction for multiple types of logs

spatil · ‎04-05-2011

Hi ,

I have two different types of logs, performance logs and alert logs. for performance logs , I have a folder structure as follows, \Splunk\etc\apps\myApp\logs\log_sample\host1\gn1*.cvs \Splunk\etc\apps\myApp\logs\log_sample\host2\gn2*.cvs \Splunk\etc\apps\myApp\logs\log_sample\host3\gn3*.cvs

here, host1, host2, and host3 are my host names. I managed to extract above host names using "host_segment" in inputs.conf.

Now, for alert logs I have a below directory structure. \Splunk\etc\apps\myApp\logs\AlertLogs*.csv For all these alert logs I need a static hostname say "alert".

How can I configure Inputs.conf to handle above situation ?

Regards, S.

jgauthier · ‎04-05-2011

on the input stanza, i believe you can set it explicity:

host=alert

I am doing that with my firewall logs, so the host is set to be the city location.

jgauthier · ‎04-06-2011

What is the host showing up as? You probably want to remove the host_segment here, it's not necessary.

spatil · ‎04-06-2011

I have already added below lines in inputs.conf, still it is not working host_segment=7 [source::...AlertLogs...] host=alert

host name extraction for multiple types of logs

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life