i have several SQL servers with logs in different places so i've got a share UNC location so i can deploy inputs.conf with the same config.
\SERVERNAME\Log\appserver_log.txt
my inputs.conf looks like this - the log file is processed - but i can't seem to extract the servername - i've tried host_segment but no
[monitor://\*\Log*]
disabled = false
whitelist = appserver_log.txt
index = test
@Esky73, For host_segment have you tried
host_segment=1
Alternatively if you know your servername pattern you can define regex. For ex(you would need to give some anonymized sample server names for exact regular expression):
host_regex=(\w+)\\Log
PS: If you have whitelisted only one log file name why not monitor only that file in the monitor block and remove whitelist?
[monitor://\*\Log\appserver_log.txt]
As far as your monitor/whitelist comment, the 2 forms are identical, especially in the sense that internally Splunk converts what you said to what OP said anyways. Strictly speaking OP's way is "better" but your way is "simpler".