Pulling out hostname from UNC path in windows

Esky73 · ‎05-31-2017

i have several SQL servers with logs in different places so i've got a share UNC location so i can deploy inputs.conf with the same config.

\SERVERNAME\Log\appserver_log.txt

my inputs.conf looks like this - the log file is processed - but i can't seem to extract the servername - i've tried host_segment but no

[monitor://\*\Log*]
disabled = false
whitelist = appserver_log.txt
index = test

niketn · ‎06-01-2017

@Esky73, For host_segment have you tried

host_segment=1

Alternatively if you know your servername pattern you can define regex. For ex(you would need to give some anonymized sample server names for exact regular expression):

host_regex=(\w+)\\Log

PS: If you have whitelisted only one log file name why not monitor only that file in the monitor block and remove whitelist?

[monitor://\*\Log\appserver_log.txt]

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

woodcock · ‎06-01-2017

As far as your monitor/whitelist comment, the 2 forms are identical, especially in the sense that internally Splunk converts what you said to what OP said anyways. Strictly speaking OP's way is "better" but your way is "simpler".

Pulling out hostname from UNC path in windows

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes