topic Re: ip address and hostname from fowarder in Getting Data In

ip address and hostname from fowarder

andykiely — Wed, 14 Aug 2013 08:52:29 GMT

I am using a host segment to set a 'hostname' (we have multiple hosts on one box) as set out below:

[monitor://c:\logs\node-21\*.log]
host_segment = 2
index = node_logs
sourcetype = node_logs

I would like to see my other 'hostname' and the ip address. The reason being I may need to move these 'hosts' between machines so it would be good to know the ip address they came from.

Has anyone got this kind of setup or have any good ideas?

Regards
Andy

Re: ip address and hostname from fowarder

kristian_kolb — Wed, 14 Aug 2013 10:44:34 GMT

Hm.. not sure I fully understand. With your current configuration the host field will be set to 'node-21' at all times. Is that really what you want?

By "other hostname", do you mean the physical box where the logs are stored?

Re: ip address and hostname from fowarder

andykiely — Wed, 14 Aug 2013 13:40:11 GMT

Hi kristian,

I want to see node-21 or node-23 or whatever happens to be in the directory portion as the 'hostname', I do not really care about the physical hostname of the server. I would like to see the ip addresses of the host server as these nodes may need to be moved to a different server at times and I would like a way of tracking which server the nodes were on at any one time.

Hope that makes sense.

Re: ip address and hostname from fowarder

kristian_kolb — Wed, 14 Aug 2013 14:41:55 GMT

You are only monitoring the 'node-21' directory for log files, thus, host_segment=2 will always be 'node-21'. Wildcards can be used to monitor more directories. See below.

Do you by 'ip-address of the host server' mean the physical machine where the nodes are running, and where the log file directories are created/stored. If so, perhaps the easiest way would be to change the logging directory, so that this piece of information gets stored in the source field, i.e.

[monitor://c:\logs\server_a\node*\*.log]
host_segment=3
index=node_logs
sourcetype=node_logs

The source field is present in all events, and can then be used to see from where an event originated.

You could do the opposite - remove the host_segment configuration, so that all events will have the host value set to the physical machine. Then you can use the source field to find out which node an event came from.

you can just set the value of source in inputs.conf to any string you like, even though the general recommendation is to let it be.

For more information, see;

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Re: ip address and hostname from fowarder

andykiely — Wed, 14 Aug 2013 14:50:42 GMT

Hi Kristian,

No the directory is changing (see last response) this is why I used the host_segment. I would like to add the ip address of the physical host server to the events, ideally I don't want to change the source as the filenames contain useful information.

Regards
Andy

Re: ip address and hostname from fowarder

kristian_kolb — Fri, 16 Aug 2013 22:12:57 GMT

Hi,

Well for option one, you would add an extra piece of info to the source, namely the physical host, by having that in the path to the log file directory. No information lost.

For option two, you would still not lose info. The physical host would be found in the host and the logical node in the source for each event.

Option three is just a refined version of option two.

Re: ip address and hostname from fowarder

andykiely — Mon, 18 Nov 2013 17:01:05 GMT

Hi Kristian,

I went with the source option in the end. I removed the host_segment config from the UF and then did an extract within PROPS.conf to create an extra field called 'node'.

Thanks for your input, really helpful.

Regards
Andy