- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Re: Unable to recognize hostname from source
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My data consists of a hierarchical zip file. Although the hostname is always located in the fifth and last segment of the path, entering 5 at index time for "Segment in path" did not work. Instead, the host is always displayed as 127.0.0.1.
For reference, the source path looks similar to this: files.zip:./files/dir/logs/hostname
I have also tried many other numbers, including -1 in the hope that it could count backwards.
Even when uploading one single log file which just has the hostname as the filename, and entering segment in path = 1, the hostname was not recognised.
I don't have access to edit props.conf, transforms.conf etc., so it would need to work from the web interface.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found a workaround by creating a field transformation with the below regex, and a corresponding field extraction.
files.zip:./files/.*/.*/(?<hostname>[\w-]*)
Then, created an alias for hostname AS host, i.e. overwriting field values.
It's not ideal because now the search for the host is doubled up in two fields, so I'm still interested if there's a solution for the segment in path method at index time.
- Sorry for all the edits, I had to figure out how to display <, > and *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found a workaround by creating a field transformation with the below regex, and a corresponding field extraction.
files.zip:./files/.*/.*/(?<hostname>[\w-]*)
Then, created an alias for hostname AS host, i.e. overwriting field values.
It's not ideal because now the search for the host is doubled up in two fields, so I'm still interested if there's a solution for the segment in path method at index time.
- Sorry for all the edits, I had to figure out how to display <, > and *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you working on an all-in-one Splunk instance or a distributed environment?
I would also check my inputs.conf to see if a host=127.0.0.1 parameter was also defined for the path you want to monitor.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it's single instance.
There was a line saying host=splunk in local/inputs.conf which I deleted and then restarted splunk, but it made no difference. I found in the web app server settings > general settings that a default host was set to splunk, which I deleted and then restarted, but after restarting the setting just reappeared. The segment in path still doesn't work.
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
