Dynamic Hostname based on actual host name + sourc...

peter_gianusso · ‎09-17-2012

Monitoring a directory with a bunch of files in it. Only want the .log files from the directory.

Changing the sourcetype based on the file name.

Now I want to change the hostname based on the file name. I saw an example on Splunkbase and tried using it below unsuccessfully. In the end, based on the file name, I want to assign different values to the hostname.

if the file matches the pattern, CAPPM*.log, then I want the hostname to be HOSTNAME (computer) + the source type from the props.conf (ex. njros1bva0597_SOURCE1)

if the file matches the pattern, ex*.log, then I want the hostname to be HOSTNAME (computer) + the source type from props.conf (ex. njros1bva0597_SOURCE2)

Below is my probably feeble attempt.

inputs.conf
[monitor://\njros1bva0597\d$\LogFiles\W3SVC1]
disabled = 0
host = NJROS1BVA0621ABC
index=imaging
whitelist = .log$

Props.conf
[source::...\CAPPM*.log]
sourcetype = SOURCE1

[source::...\ex*.log]
sourcetype = SOURCE2

[SOURCE2]
TRANSFORMS-hostname = esx_remap_host

transforms.conf
[esx_remap_host]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Host
REGEX = /dir1/dir2/(.+)/ex120110.log
FORMAT = host::$1

MarioM · ‎09-17-2012

have you tried regex on path in inputs.conf with following parameter?

host_regex=

peter_gianusso · ‎09-17-2012

Sorry...Should have stated I wanted to append the source type from the props.conf to the actual host name. The appending of the 2 would be the source name I wanted.

I don't think doing that in inputs.conf will do that because props.conf has not been executed.

Dynamic Hostname based on actual host name + sourcetype

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms