Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Get all data even host name is getting changed while searching

ips_mandar
Builder
‎03-03-2020 09:36 PM

Hi
I am monitoring log file from one folder and giving host field name as hostname.
ex. I am monitoring C:\Logs\GTA(Brazil).*zip
and here my host name is "GTA(Brazil)"
but after some days I changed my folder name to GSTA(Brazil)
Now I want whenever I am searching with index and new host name, I want to see old data as well(including new hostname data) with hostname- GTA(Brazil).
For mapping I am creating one lookup which contain below information-

Name            new_name
GTTA(Brazil)    GTA(Brazil)
GTTA(Brazil)      GSTA(Brazil)

now how macro should be created which will take input as new host name/ old host name and give results with combination of both.
or is there any other way?
Note- the folder name can get changed any time and I can update lookup with new name but while searching for data with host i want to get all data present within folder.
Thanks,

Tags (1)
0 Karma
Reply

gaurav_maniar
Builder
‎03-04-2020 04:18 AM

Hi @ips_mandar ,

There are many was to index and segregate data while indexing it.
- If all the files from the folder are same type, than create a new sourcetype for the data and index data to the particular sourcetype created for GTA/GSTA(Brazil)/MTA(UK)/ATD(USA). Than you can search for the particular sourcetype and Splunk will return events from old and new host names.

index=index_name sourcetype=<your_sourcetype>

  • Now, if the country name part is going to be constant even after folder name changed, than you can simply search for host name containing the country name.

    index=index_name souretype=sourcetype_name host=brazil
    There are many other possible ways, but it all depends on your environment.
    If folder is having multiple types of log files and all them are getting indexed to different index & sourcetype than it will make it very complex scenario.

Regarding creating macros following reference will help (if the above options solves your problem, create the macro of base search query)
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Definesearchmacros
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Searchmacroexamples

accept & upvote the answer if ti helps.

0 Karma
Reply

ips_mandar
Builder
‎03-11-2020 12:01 AM

Thanks but unfortunately it won't help me.
since there can be multiple folders with same country/city/state

0 Karma
Reply

manjunathmeti
SplunkTrust
SplunkTrust
‎03-03-2020 10:59 PM

Create csv file as below:

host
GTA(Brazil)
GSTA(Brazil)

Use csv file lookup in search query as below.

index=INDEXNAME [| inputlookup filename.csv | format]
0 Karma
Reply

ips_mandar
Builder
‎03-03-2020 11:18 PM

@manjunathmeti, My Bad! sorry I haven't mentioned that I have multiple folders under Logs folder which I am monitoring and any folders name may renamed under log folder and I want to get results of all data contain within that folder.
ex. Folder structure is like -
Logs>>GTA(Brazil)
Logs>>MTA(UK)
Logs>>ATD(USA)

and If GTA(Brazil) folder name is changed then while searching with new name GSTA(Brazil) I want old data from host GTA(Brazil) as well but not from any other folders like MTA(UK) or ATD(USA).
Thanks.

0 Karma
Reply

manjunathmeti
SplunkTrust
SplunkTrust
‎03-04-2020 05:26 AM

Then you should use calculated field. Add below configuration in props.conf on search head.

[SOURCETYPE_NAME]
EVAL-host = if(host=="GTA(Brazil)", "GSTA(Brazil)", host)

You can create same from search head UI.
1. Select Settings > Fields.
2. Select Calculated Fields > New Calculated Field.
3. Select the app that will use the calculated field.
4. Select sourcetype to apply to the calculated field and specify a name.
5. Name the resultant calculated field: host
6. Define the eval expression: if(host=="GTA(Brazil)", "GSTA(Brazil)", host)
7. Save and change permissions to other apps and roles.

0 Karma
Reply

ips_mandar
Builder
‎03-11-2020 12:03 AM

Thanks but unfortunately it won't help me.
Since it will change host name at search time but in my case user require to search with old/new folder name as host name and he should get all results contained in a folder.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...