Splunk Search

add oneshot with host segment

melonman
Motivator

Hi there,

I need to re-index some data. In inputs.conf, host_segment parameter is configured as follows:

host_segment = 3

And I issued the following add oneshot command after deleting indexes using "| delete" command:

splunk add oneshot "/path/to/host1/file" -index myidx -sourcetype mytype
splunk add oneshot "/path/to/host2/file" -index myidx -sourcetype mytype
splunk add oneshot "/path/to/host3/file" -index myidx -sourcetype mytype

However, I got the following result:

splunk search '* | top host'

host    count    percent
------ ------ ----------
myhost      5 100.000000

myhost is hostname of splunk server. I expected host1, host2 and host3 in the result.

Could anyone help me retrieve host value using host_segment?

Thanks!

Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Seems to me if you're putting this in a script and you have the source or file name, it should not be that hard to get the correct host value and that as the argument to the -host option, e.g.

for fn in `cat filelist.txt` ; do
  h=`echo $i | awk -F/ '{print $4}'`
  oneshot $i -host $h -index myidx -sourcetype mytype
done

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Seems to me if you're putting this in a script and you have the source or file name, it should not be that hard to get the correct host value and that as the argument to the -host option, e.g.

for fn in `cat filelist.txt` ; do
  h=`echo $i | awk -F/ '{print $4}'`
  oneshot $i -host $h -index myidx -sourcetype mytype
done

Masa
Splunk Employee
Splunk Employee

Yes, we support -host_segment option. We just need to add it in our doc and command help.

0 Karma

melonman
Motivator

Quick confirmation, do you know if using add oneshot with -host_segment option is supported operation by splunk?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

This doesn't seem to have anything to do with host_segment

0 Karma

melonman
Motivator

After deleting and reindexing the same file, it takes some time to get the reindexed data to show up in the search result. Target file contains about 10 lines, and the number of them is 5.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

What do you mean by "right result"? how big are the files? how many are there?

0 Karma

melonman
Motivator

yes, you are right. However, even with -host, it takes about 10 minutes to get the right result. Is it expected behavior? I thought data was indexed right after oneshot command issued.

0 Karma

melonman
Motivator

I issued the following,

splunk add oneshot "/path/to/host1/file" -index myidx -sourcetype mytype -host_segment 3

I didn't get the result immediately, but I could get correct result after 5 or 6 minutes. Is this expected behaivior?
I would appreciate if anyone could also comment on this.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...