https://community.splunk.com/t5/Getting-Data-In/Host-based-on-filename/m-p/55613#M10873 <P>FYI, and as a supplemental to the above answer, I keep my files in the following directory:</P> <P><B>/var/splunk/input/mms_logs/</B></P> <P>The filename structure is:</P> <P><B>mms_<I>HOST-IP-ADDRESS</I>_<I>TIMESTAMP</I>.log</B></P> <P>examples:</P> <P><B>mms_10.152.58.100_20110101_004000_06137.log<BR /> mms_10.152.58.194_20110121_120000_70656.log</B></P> <P>Now to extract the IP address portion of filename as a host, I used the following regex:</P> <P><B>/var/splunk/input/mms_logs/mms_(\d+.\d+.\d+.\d+)_\d+</B></P> <P>Voila! From the above examples I know have two hosts (<B>10.152.58.100</B> &amp; <B>10.152.58.194</B>), along with all of the events that are hosted within the files <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Hope this helps someone!</P> Tue, 22 Feb 2011 09:24:42 GMT rturk 2011-02-22T09:24:42Z https://community.splunk.com/t5/Getting-Data-In/Host-based-on-filename/m-p/55610#M10870 <P>How can you create a "host" by the file name being indexed? Im looking to index my firewall configuration files, and currently the snapshots are saved with the firewalls hostname. Clear as mud?</P> Wed, 22 Sep 2010 07:39:19 GMT https://community.splunk.com/t5/Getting-Data-In/Host-based-on-filename/m-p/55610#M10870 ehastings82 2010-09-22T07:39:19Z https://community.splunk.com/t5/Getting-Data-In/Host-based-on-filename/m-p/55611#M10871 <P>You can look at the <CODE>host_segment</CODE> and <CODE>host_regex</CODE> settings that can be used with the file <CODE>monitor</CODE> stanzas in inputs.conf, to extract the source host from the file path.</P> Wed, 22 Sep 2010 07:49:25 GMT https://community.splunk.com/t5/Getting-Data-In/Host-based-on-filename/m-p/55611#M10871 gkanapathy 2010-09-22T07:49:25Z https://community.splunk.com/t5/Getting-Data-In/Host-based-on-filename/m-p/55612#M10872 <P>Your the man!!!</P> Wed, 22 Sep 2010 08:13:44 GMT https://community.splunk.com/t5/Getting-Data-In/Host-based-on-filename/m-p/55612#M10872 ehastings82 2010-09-22T08:13:44Z https://community.splunk.com/t5/Getting-Data-In/Host-based-on-filename/m-p/55613#M10873 <P>FYI, and as a supplemental to the above answer, I keep my files in the following directory:</P> <P><B>/var/splunk/input/mms_logs/</B></P> <P>The filename structure is:</P> <P><B>mms_<I>HOST-IP-ADDRESS</I>_<I>TIMESTAMP</I>.log</B></P> <P>examples:</P> <P><B>mms_10.152.58.100_20110101_004000_06137.log<BR /> mms_10.152.58.194_20110121_120000_70656.log</B></P> <P>Now to extract the IP address portion of filename as a host, I used the following regex:</P> <P><B>/var/splunk/input/mms_logs/mms_(\d+.\d+.\d+.\d+)_\d+</B></P> <P>Voila! From the above examples I know have two hosts (<B>10.152.58.100</B> &amp; <B>10.152.58.194</B>), along with all of the events that are hosted within the files <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Hope this helps someone!</P> Tue, 22 Feb 2011 09:24:42 GMT https://community.splunk.com/t5/Getting-Data-In/Host-based-on-filename/m-p/55613#M10873 rturk 2011-02-22T09:24:42Z