topic Re: transform hostname based on log filename? in Getting Data In

transform hostname based on log filename?

stwong — Tue, 29 Sep 2020 12:42:58 GMT

Hi, we're going to monitor following files on a host with universal forwarder installed:

/data/asav/gw1new/log1.gz
/data/asav/gw2new/log1.gz
/data/asav/gw3new/log1.gz

Since there is no hostname recorded in the log, we want to set hostname like this for stanza [monitor:///data/asav/gw*/*gz]:

gw1new -> mailgw1
gw2new -> mailgw2
gw3new -> mailgw3

Would anyone please help?
Thanks a lot.

/ST Wong

Re: transform hostname based on log filename?

mirkoneverstops — Fri, 03 Feb 2017 08:52:48 GMT

Check this inputs.conf setting:
host_segment = *integer*
Sets the segment of the path as the host, using integer to determine the segment.
For example, if host_segment = 2, host becomes the second segment of the path. Path segments are separated by the '/' character.

Source: http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Monitorfilesanddirectorieswithinputs.conf

Re: transform hostname based on log filename?

stwong — Fri, 03 Feb 2017 10:29:33 GMT

Thanks, but we hope to do some transform based on segment 3, e.g.

/data/asav/gw1new/log.1.gz

host_rex = 3 gives gw1new. Then we hope to do something like:

echo gw1new | sed 's/(gw[0-9])new$/mail\1/g'

that gives mailgw1.

Possible to do so?
Thanks.

Re: transform hostname based on log filename?

mirkoneverstops — Tue, 29 Sep 2020 12:43:11 GMT

Yes, with a transform like:

[rename_gw_hostname]
SOURCE_KEY = MetaData:Host
REGEX = host::(\w\w\d)new
FORMAT = host::mail$1
DEST_KEY = MetaData:Host

Applied with props like:
[host::gw*new]
TRANSFORMS-rename_gw_hostname = rename_gw_hostname

I didn't tested it but it should work.

Re: transform hostname based on log filename?

stwong — Mon, 06 Feb 2017 06:29:55 GMT

It works! Thanks a lot for your help.