Getting Data In

ip address and hostname from fowarder

andykiely
Path Finder

I am using a host segment to set a 'hostname' (we have multiple hosts on one box) as set out below:

[monitor://c:\logs\node-21\*.log]
host_segment = 2
index = node_logs
sourcetype = node_logs

I would like to see my other 'hostname' and the ip address. The reason being I may need to move these 'hosts' between machines so it would be good to know the ip address they came from.

Has anyone got this kind of setup or have any good ideas?

Regards
Andy

0 Karma
1 Solution

kristian_kolb
Ultra Champion

You are only monitoring the 'node-21' directory for log files, thus, host_segment=2 will always be 'node-21'. Wildcards can be used to monitor more directories. See below.

Do you by 'ip-address of the host server' mean the physical machine where the nodes are running, and where the log file directories are created/stored. If so, perhaps the easiest way would be to change the logging directory, so that this piece of information gets stored in the source field, i.e.

[monitor://c:\logs\server_a\node*\*.log]
host_segment=3
index=node_logs
sourcetype=node_logs

The source field is present in all events, and can then be used to see from where an event originated.

OR

You could do the opposite - remove the host_segment configuration, so that all events will have the host value set to the physical machine. Then you can use the source field to find out which node an event came from.

OR

you can just set the value of source in inputs.conf to any string you like, even though the general recommendation is to let it be.

For more information, see;

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

/K

View solution in original post

0 Karma

kristian_kolb
Ultra Champion

You are only monitoring the 'node-21' directory for log files, thus, host_segment=2 will always be 'node-21'. Wildcards can be used to monitor more directories. See below.

Do you by 'ip-address of the host server' mean the physical machine where the nodes are running, and where the log file directories are created/stored. If so, perhaps the easiest way would be to change the logging directory, so that this piece of information gets stored in the source field, i.e.

[monitor://c:\logs\server_a\node*\*.log]
host_segment=3
index=node_logs
sourcetype=node_logs

The source field is present in all events, and can then be used to see from where an event originated.

OR

You could do the opposite - remove the host_segment configuration, so that all events will have the host value set to the physical machine. Then you can use the source field to find out which node an event came from.

OR

you can just set the value of source in inputs.conf to any string you like, even though the general recommendation is to let it be.

For more information, see;

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

/K

0 Karma

andykiely
Path Finder

Hi Kristian,

I went with the source option in the end. I removed the host_segment config from the UF and then did an extract within PROPS.conf to create an extra field called 'node'.

Thanks for your input, really helpful.

Regards
Andy

0 Karma

kristian_kolb
Ultra Champion

Hi,

Well for option one, you would add an extra piece of info to the source, namely the physical host, by having that in the path to the log file directory. No information lost.

For option two, you would still not lose info. The physical host would be found in the host and the logical node in the source for each event.

Option three is just a refined version of option two.

0 Karma

andykiely
Path Finder

Hi Kristian,

No the directory is changing (see last response) this is why I used the host_segment. I would like to add the ip address of the physical host server to the events, ideally I don't want to change the source as the filenames contain useful information.

Regards
Andy

0 Karma

andykiely
Path Finder

Hi kristian,

I want to see node-21 or node-23 or whatever happens to be in the directory portion as the 'hostname', I do not really care about the physical hostname of the server. I would like to see the ip addresses of the host server as these nodes may need to be moved to a different server at times and I would like a way of tracking which server the nodes were on at any one time.

Hope that makes sense.

0 Karma

kristian_kolb
Ultra Champion

Hm.. not sure I fully understand. With your current configuration the host field will be set to 'node-21' at all times. Is that really what you want?

By "other hostname", do you mean the physical box where the logs are stored?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...