We are pushing out forwarders to over 200 servers this month. I intend to connect the forwarders to a deployment server and then push out the server.conf file using the below setup.
[general]
serverName = $HOSTNAME
Since there are so many servers I do not want to manually set the hostname for each server. This seems to work but when I got to edit the inputs.conf file we have to monitor a server.log file that has the hostname before it.
[monitor:///testarea/host1_server.log]
I have tried setting "host1" to "$HOSTNAME" and "hostname
". All which return the actual we are trying to monitor
When doing a ls -ltr on /testarea/$HOSTNAME_server.log it returns /testarea/host1_server.log.
Is Splunk able to do this?
Why wouldnt you just use a wildcard in your monitor stanza?
[monitor:///testarea/*_server.log]
You can run during the install process something like the following command -
/opt/splunk/splunkforwarder/bin/splunk set default-hostname <host>
Why wouldnt you just use a wildcard in your monitor stanza?
[monitor:///testarea/*_server.log]
Thanks jkat54 ... smh not sure why i was thinking i needed to get hostname for that path as that is the only file that ends with _server.log.