Getting Data In

How to monitor a file that includes the hostname of the machine and access local hostname in inputs.conf

atownson
Explorer

We have a set of servers defined within a server class using a deployment server. The deployment apps include an inputs.conf for each server within the class. One file we're monitoring includes the hostname of the local machine. How do you resolve the hostname inside the inputs.conf? I would assume it would be a variable or token but not sure what.

Example:
ServerA => [monitor:///path/to/file/ServerA.xml]
ServerB => [monitor:///path/to/file/ServerB.xml]

I did find a similar question or two in answers but did not find an appropriate resolution.

0 Karma
1 Solution

woodcock
Esteemed Legend

The way to do this is to use some other tool like tanium to run a 1-time script that creates a soft link to the proper file and put it by itself and monitor that. Something like this:

mkdir -p /path/to/file/forsplunk/
ln -fs /path/to/file/${hostname}.xml /path/to/file/forsplunk/somestaticname.xml

Then use:

[monitor:///path/to/file/somestaticname.xml]

View solution in original post

0 Karma

woodcock
Esteemed Legend

The way to do this is to use some other tool like tanium to run a 1-time script that creates a soft link to the proper file and put it by itself and monitor that. Something like this:

mkdir -p /path/to/file/forsplunk/
ln -fs /path/to/file/${hostname}.xml /path/to/file/forsplunk/somestaticname.xml

Then use:

[monitor:///path/to/file/somestaticname.xml]
0 Karma

atownson
Explorer

This seems like a viable workaround. Thank you.

0 Karma

atownson
Explorer

FYI, for users monitoring the file based on modified time this solution will not work because the softlink's modified time is not updated in tandem with the target's modified time.

0 Karma

atownson
Explorer

A quick note: we need to index exactly [hostname].xml. There are other XMLs that could be in the dir that we do not want indexed and there's no required pattern for the hostname.

0 Karma

marycordova
SplunkTrust
SplunkTrust

Are you just trying to set the path for the inputs including the hostname such as "ServerA"?

If so then just use a wildcard in the stanza:https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf?utm_source=answers&utm_medium=i...

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored inputs. Use
  "..." for recursive directory matching and "*" for wildcard matching in a
  single directory segment.
* "..." recurses through directories. This means that /foo/.../bar matches
  foo/1/bar, foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path. For
  example: /foo/.../bar/...
* The asterisk (*) matches anything in a single path segment; unlike "...", it
  does not recurse. For example, /foo/*/bar matches the files
  /foo/1/bar, /foo/2/bar, etc. However, it does not match
  /foo/bar or /foo/1/2/bar.
  A second example: /foo/m*r/bar matches /foo/mr/bar, /foo/mir/bar,
  /foo/moor/bar, etc. It does not match /foo/mi/or/bar.
* You can combine "*" and "..." as needed: foo/.../bar/* matches any file in
  the bar directory within the specified path.
@marycordova
0 Karma

atownson
Explorer

There are other files that would/could match the wildcard pattern that we would not want to index. We're currently using the wildcard method and it's indexing files we don't want. So specifically we need to monitor for [hostname].xml.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...