Hi,
I have the syslogs coming from 4 consoles in to single path, how to extract the hostnames in inputs.conf file?
log names;
mail.text.esa1.abc.iphmx.com.@20170413T093916.s
mail.text.esa2.abc.iphmx.com.@20170413T093916.s
mail.text.esa3.abc.iphmx.com.@20170413T093916.s
mail.text.esa4.abc.iphmx.com.@20170413T093916.s
required hostnames:
esa1.abc
esa2.abc
esa3.abc
esa4.abc
Hi kiran331, You'll have to added a transform specification to the props config on the source or sourcetype. The transform could have a REGEX set to something like:
mail\.text\.([^\.]+\.[^\.])\.iphmx\.com
Taking the config from another answer: https://answers.splunk.com/answers/91933/can-you-override-host-for-an-input.html
#props
[source::mysource]
TRANSFORMS-ho=hostoverride
#transforms
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = mail\.text\.([^\.]+\.[^\.])\.iphmx\.com
FORMAT = host::$1
You might need to adjust the source specification in props (your source probably isn't named "mysource"), and the regex might need adjusting as well to be more generic depending if you have different patterns for the hostnames in the source.
This config will need to be set on the indexer, or whatever splunk instance does the processing pipeline on the events.
Please let me know if this answers your question! 😄
I tried this one, it dint worked. Do I have to mention anything under host= in inputs.conf?
I think a + was missed in extracting expression:
^mail\.text\.([^\.]+\.[^\.]+)\.iphmx\.com
Following is the documentation for your use case with example: http://docs.splunk.com/Documentation/Splunk/latest/Data/Overridedefaulthostassignments#Example