I can't get "host" field by segment settings when ...

yutaka1005 · ‎12-25-2018

OS : windows 10
Splunk Ver : 7.2.3

I want to define first segment of below archive file as 'host' field when I upload it.

filename : hogehoge.zip
contents : /<host name>/ccc/ddd.txt

But in Splunk on windows, even if I choose Segment in path and put Segment number as 1 at Input Settings, it was not working.
* I could do it in Splunk on Linux!

Is this a specification? OR issues?

niketn · ‎12-25-2018

@yutaka1005, I think you have got wrong behavior of segmentation. Instead of the zip file can you try the folder tree and upload only one file ddd.txt to test whether segmentation is picking up correct host name or not?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

mstjohn_splunk · ‎01-09-2019

Hi @yutaka1005

Are you still having trouble with this issue? If so, please answer the commenter above so that they can help you further. Or, if you solved your query, would you mind describing the steps you took as an answer below so that others can learn from your solution?

Thanks for posting!

yutaka1005 · ‎01-09-2019

@p_gurav

Thank you for comment!
I tried putting host_segment value as 3, but it was still not working...

@niketnilay

Thank you for comment!
If I monitor normal tree folders, I can get host field by segmentation!

@mstjohn_splunk

Thank you for comment!
Even now, I do not know how to solve this ...

p_gurav · ‎12-25-2018

Hi,

According to the source field getting into Splunk, can you try putting host_segment value as 3.

I can't get "host" field by segment settings when upload zip files in Splunk on Windows.

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...