topic Re: add oneshot with host segment in Splunk Search

add oneshot with host segment

melonman — Tue, 28 Sep 2010 10:31:39 GMT

Hi there,

I need to re-index some data. In inputs.conf, host_segment parameter is configured as follows:

host_segment = 3

And I issued the following add oneshot command after deleting indexes using "| delete" command:

splunk add oneshot "/path/to/host1/file" -index myidx -sourcetype mytype
splunk add oneshot "/path/to/host2/file" -index myidx -sourcetype mytype
splunk add oneshot "/path/to/host3/file" -index myidx -sourcetype mytype

However, I got the following result:

splunk search '* | top host'

host    count    percent
------ ------ ----------
myhost      5 100.000000

myhost is hostname of splunk server. I expected host1, host2 and host3 in the result.

Could anyone help me retrieve host value using host_segment?

Thanks!

Re: add oneshot with host segment

melonman — Tue, 28 Sep 2010 10:57:49 GMT

I issued the following,

splunk add oneshot "/path/to/host1/file" -index myidx -sourcetype mytype -host_segment 3

I didn't get the result immediately, but I could get correct result after 5 or 6 minutes. Is this expected behaivior?
I would appreciate if anyone could also comment on this.

Re: add oneshot with host segment

gkanapathy — Tue, 28 Sep 2010 12:02:24 GMT

Seems to me if you're putting this in a script and you have the source or file name, it should not be that hard to get the correct host value and that as the argument to the -host option, e.g.

for fn in `cat filelist.txt` ; do
  h=`echo $i | awk -F/ '{print $4}'`
  oneshot $i -host $h -index myidx -sourcetype mytype
done

Re: add oneshot with host segment

melonman — Tue, 28 Sep 2010 13:51:30 GMT

yes, you are right. However, even with -host, it takes about 10 minutes to get the right result. Is it expected behavior? I thought data was indexed right after oneshot command issued.

Re: add oneshot with host segment

gkanapathy — Tue, 28 Sep 2010 19:42:38 GMT

What do you mean by "right result"? how big are the files? how many are there?

Re: add oneshot with host segment

melonman — Wed, 29 Sep 2010 10:21:26 GMT

After deleting and reindexing the same file, it takes some time to get the reindexed data to show up in the search result. Target file contains about 10 lines, and the number of them is 5.

Re: add oneshot with host segment

gkanapathy — Wed, 29 Sep 2010 11:02:24 GMT

This doesn't seem to have anything to do with host_segment

Re: add oneshot with host segment

melonman — Thu, 30 Sep 2010 16:12:06 GMT

Quick confirmation, do you know if using add oneshot with -host_segment option is supported operation by splunk?

Re: add oneshot with host segment

Masa — Sat, 02 Oct 2010 07:04:11 GMT

Yes, we support -host_segment option. We just need to add it in our doc and command help.