topic Re: Get all data even host name is getting changed while searching in Splunk Search

Get all data even host name is getting changed while searching

ips_mandar — Wed, 04 Mar 2020 05:36:37 GMT

Hi
I am monitoring log file from one folder and giving host field name as hostname.
ex. I am monitoring C:\Logs\GTA(Brazil).*zip
and here my host name is "GTA(Brazil)"
but after some days I changed my folder name to GSTA(Brazil)
Now I want whenever I am searching with index and new host name, I want to see old data as well(including new hostname data) with hostname- GTA(Brazil).
For mapping I am creating one lookup which contain below information-

Name            new_name
GTTA(Brazil)    GTA(Brazil)
GTTA(Brazil)      GSTA(Brazil)

now how macro should be created which will take input as new host name/ old host name and give results with combination of both.
or is there any other way?
Note- the folder name can get changed any time and I can update lookup with new name but while searching for data with host i want to get all data present within folder.
Thanks,

Re: Get all data even host name is getting changed while searching

manjunathmeti — Wed, 04 Mar 2020 06:59:53 GMT

Create csv file as below:

host
GTA(Brazil)
GSTA(Brazil)

Use csv file lookup in search query as below.

index=INDEXNAME [| inputlookup filename.csv | format]

Re: Get all data even host name is getting changed while searching

ips_mandar — Wed, 04 Mar 2020 07:18:56 GMT

@manjunathmeti, My Bad! sorry I haven't mentioned that I have multiple folders under Logs folder which I am monitoring and any folders name may renamed under log folder and I want to get results of all data contain within that folder.
ex. Folder structure is like -
Logs>>GTA(Brazil)
Logs>>MTA(UK)
Logs>>ATD(USA)

and If GTA(Brazil) folder name is changed then while searching with new name GSTA(Brazil) I want old data from host GTA(Brazil) as well but not from any other folders like MTA(UK) or ATD(USA).
Thanks.

Re: Get all data even host name is getting changed while searching

gaurav_maniar — Wed, 30 Sep 2020 04:27:50 GMT

Hi @ips_mandar ,

There are many was to index and segregate data while indexing it.
- If all the files from the folder are same type, than create a new sourcetype for the data and index data to the particular sourcetype created for GTA/GSTA(Brazil)/MTA(UK)/ATD(USA). Than you can search for the particular sourcetype and Splunk will return events from old and new host names.

index=index_name sourcetype=<your_sourcetype>

Now, if the country name part is going to be constant even after folder name changed, than you can simply search for host name containing the country name.

index=index_name souretype=sourcetype_name host=brazil
There are many other possible ways, but it all depends on your environment.
If folder is having multiple types of log files and all them are getting indexed to different index & sourcetype than it will make it very complex scenario.

Regarding creating macros following reference will help (if the above options solves your problem, create the macro of base search query)
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Definesearchmacros
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Searchmacroexamples

accept & upvote the answer if ti helps.

Re: Get all data even host name is getting changed while searching

manjunathmeti — Wed, 04 Mar 2020 13:26:11 GMT

Then you should use calculated field. Add below configuration in props.conf on search head.

[SOURCETYPE_NAME]
EVAL-host = if(host=="GTA(Brazil)", "GSTA(Brazil)", host)

You can create same from search head UI.
1. Select Settings > Fields.
2. Select Calculated Fields > New Calculated Field.
3. Select the app that will use the calculated field.
4. Select sourcetype to apply to the calculated field and specify a name.
5. Name the resultant calculated field: host
6. Define the eval expression: if(host=="GTA(Brazil)", "GSTA(Brazil)", host)
7. Save and change permissions to other apps and roles.

Re: Get all data even host name is getting changed while searching

ips_mandar — Wed, 11 Mar 2020 07:01:14 GMT

Thanks but unfortunately it won't help me.
since there can be multiple folders with same country/city/state

Re: Get all data even host name is getting changed while searching

ips_mandar — Wed, 11 Mar 2020 07:03:33 GMT

Thanks but unfortunately it won't help me.
Since it will change host name at search time but in my case user require to search with old/new folder name as host name and he should get all results contained in a folder.