- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- transform hostname based on log filename?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, we're going to monitor following files on a host with universal forwarder installed:
/data/asav/gw1new/log1.gz
/data/asav/gw2new/log1.gz
/data/asav/gw3new/log1.gz
Since there is no hostname recorded in the log, we want to set hostname like this for stanza [monitor:///data/asav/gw*/*gz]:
gw1new -> mailgw1
gw2new -> mailgw2
gw3new -> mailgw3
Would anyone please help?
Thanks a lot.
/ST Wong
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check this inputs.conf setting:
host_segment = *integer*
Sets the segment of the path as the host, using integer to determine the segment.
For example, if host_segment = 2, host becomes the second segment of the path. Path segments are separated by the '/' character.
Source: http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Monitorfilesanddirectorieswithinputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check this inputs.conf setting:
host_segment = *integer*
Sets the segment of the path as the host, using integer to determine the segment.
For example, if host_segment = 2, host becomes the second segment of the path. Path segments are separated by the '/' character.
Source: http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Monitorfilesanddirectorieswithinputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, but we hope to do some transform based on segment 3, e.g.
/data/asav/gw1new/log.1.gz
host_rex = 3 gives gw1new. Then we hope to do something like:
echo gw1new | sed 's/(gw[0-9])new$/mail\1/g'
that gives mailgw1.
Possible to do so?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, with a transform like:
[rename_gw_hostname]
SOURCE_KEY = MetaData:Host
REGEX = host::(\w\w\d)new
FORMAT = host::mail$1
DEST_KEY = MetaData:Host
Applied with props like:
[host::gw*new]
TRANSFORMS-rename_gw_hostname = rename_gw_hostname
I didn't tested it but it should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works! Thanks a lot for your help.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
