<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Inputs.conf - use a variable in Monitoring Splunk</title>
    <link>https://community.splunk.com/t5/Monitoring-Splunk/Inputs-conf-use-a-variable/m-p/459683#M5837</link>
    <description>&lt;P&gt;Hello sbridge,&lt;/P&gt;

&lt;P&gt;For managing inputs.conf, you can install an UF on the one server where logs from all your other servers are stored (/mnt/logs/shorthostname) and then manage it with DS.&lt;/P&gt;

&lt;P&gt;Your other two questions:&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;&lt;P&gt;Yes. You can use &lt;CODE&gt;host_segement&lt;/CODE&gt; to in your monitor stanza to capture hostnames from file path. &lt;/P&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;P&gt;Sourcetypes can be defined freely in inputs.conf with whatever name you want. You don't need a configuration setting to set sourcetype. &lt;/P&gt;&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;This is how your inputs.conf looks like:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[monitor:///mnt/logs/shorthostname1]
host_segment = 3
sourcetype = any_sourcetype_name_you_like

[monitor:///mnt/logs/shorthostname2]
host_segment = 3
sourcetype = any_sourcetype_name_you_like
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Wed, 25 Jul 2018 12:26:09 GMT</pubDate>
    <dc:creator>sudosplunk</dc:creator>
    <dc:date>2018-07-25T12:26:09Z</dc:date>
    <item>
      <title>Inputs.conf - use a variable</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/Inputs-conf-use-a-variable/m-p/459682#M5836</link>
      <description>&lt;P&gt;Hello all.  I have a bunch of *nix machines which all mount the same shared file server location to write their logs (/mnt/logs for example). For various (mostly political) reasons, it will be very difficult for me to run a UF on the back-end fileserver, so I need to run a forwarder on each server, and only grab the logs for that one server. All the machines have a directory under the common share which matches the hostname of the machine (/mnt/logs/shorthostname).  I could, of course, script the creation of inputs.conf on every machine, but it would be difficult to manage - I don't see how I could push a new inputs.conf from the DS.&lt;BR /&gt;
Two questions:&lt;BR /&gt;
1.) Is there any way to use a variable inside a monitor stanza that will contain the short hostname?&lt;BR /&gt;
2.) Is there something similar to host_segment that I could use to set the sourcetype from the log path?&lt;/P&gt;

&lt;P&gt;thank you,&lt;BR /&gt;
-S&lt;/P&gt;</description>
      <pubDate>Wed, 25 Jul 2018 11:50:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/Inputs-conf-use-a-variable/m-p/459682#M5836</guid>
      <dc:creator>sbridge</dc:creator>
      <dc:date>2018-07-25T11:50:36Z</dc:date>
    </item>
    <item>
      <title>Re: Inputs.conf - use a variable</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/Inputs-conf-use-a-variable/m-p/459683#M5837</link>
      <description>&lt;P&gt;Hello sbridge,&lt;/P&gt;

&lt;P&gt;For managing inputs.conf, you can install an UF on the one server where logs from all your other servers are stored (/mnt/logs/shorthostname) and then manage it with DS.&lt;/P&gt;

&lt;P&gt;Your other two questions:&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;&lt;P&gt;Yes. You can use &lt;CODE&gt;host_segement&lt;/CODE&gt; to in your monitor stanza to capture hostnames from file path. &lt;/P&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;P&gt;Sourcetypes can be defined freely in inputs.conf with whatever name you want. You don't need a configuration setting to set sourcetype. &lt;/P&gt;&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;This is how your inputs.conf looks like:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[monitor:///mnt/logs/shorthostname1]
host_segment = 3
sourcetype = any_sourcetype_name_you_like

[monitor:///mnt/logs/shorthostname2]
host_segment = 3
sourcetype = any_sourcetype_name_you_like
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 25 Jul 2018 12:26:09 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/Inputs-conf-use-a-variable/m-p/459683#M5837</guid>
      <dc:creator>sudosplunk</dc:creator>
      <dc:date>2018-07-25T12:26:09Z</dc:date>
    </item>
  </channel>
</rss>

