topic Re: Can I dynamically set the default host value using a Universal Forwarder? in Getting Data In

Can I dynamically set the default host value using a Universal Forwarder?

psyched4splunk — Tue, 16 Jul 2019 15:28:43 GMT

I'm using host_regex on a Universal Forwarder.

inputs.conf

[monitor:///app/splunkforwarder/logs/containername/*.log]
interval = 1800
host_regex = \/app\/splunkforwarder\/logs\/(.*?)\/*.log

From my understanding this should set container name as the host_regex.
However this isn't working, what am I doing wrong and how can I fix it?

Re: Can I dynamically set the default host value using a Universal Forwarder?

gcusello — Tue, 16 Jul 2019 16:37:16 GMT

Hi psyched4splunk,
let me understand: you want to dinamically set the hostname based on the "containername" part of the pa, is it correct?
if this is your need you have to add to the monitor stanza in inputs.conf, the following option:

host_segment = 4

in this way you dinamically set the hostname as the 4th part of the path.
You can find more information at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Bye.
Giuseppe

Re: Can I dynamically set the default host value using a Universal Forwarder?

kgderrekchapin — Tue, 16 Jul 2019 16:38:36 GMT

See if this helps you at alll.

host_regex = \/app\/splunkforwarder\/logs\/(\w+)\/\w+.log$

Unless there are special characters in your path this should capture the containername. I believe your regex was erroring because of the *.log.

(I could be wrong. Hopefully this helps)

Re: Can I dynamically set the default host value using a Universal Forwarder?

psyched4splunk — Wed, 30 Sep 2020 01:19:21 GMT

Yes that's correct.
However a more important part of my question is if setting host_segment and host_regex is dependent on the forwarder?
Can I dynamically set the host on a universal forwarder or no?
I haven't found a clear answer to this question.
I ask because I'm trying to do it on the Universal Forward and it's not working for me as I've included my inputs.conf above.

Re: Can I dynamically set the default host value using a Universal Forwarder?

kgderrekchapin — Tue, 16 Jul 2019 17:15:05 GMT

Where are you trying to set the hostname at?

The host that has the UF installed on it.

Or the inputs.conf from the deployed app on the UF. (this will set the hostname for the logs ingested by the input.conf stanza)

Re: Can I dynamically set the default host value using a Universal Forwarder?

psyched4splunk — Tue, 16 Jul 2019 19:29:31 GMT

The host that has the UF installed on it.

Re: Can I dynamically set the default host value using a Universal Forwarder?

gcusello — Wed, 30 Sep 2020 01:23:49 GMT

Hi psyched4splunk,

if you want to dinamically set the hostname for your logs based on a segment of the path of your logs you can do it, it doesn't depends on the forwarder: the host_segment depends on the input you have to ingest, not on the forwarder.
In other words, you have to configure an input.conf for your logs, setting the correct host_segment for every monitor stanza (eventually more than one) and then deploy it on your forwarders manually or (better) using a Deployment Server.

When you say the "it's not working for me", what do you mean? can you describe more your situation?

As you can read at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf , the hostname id defined by default when the Forwarder is installed, then it's possible to set a different hostname in each stanza of your inputs.conf file using different options (host=, host_segment=, host_regex=) so the most important thing is to clearly define your needs and set them in inputs.conf, then deploy (manually or using a Deployment Server) your app containing your inputs.conf to each forwarder.

Bye.
Giuseppe