Pulling out hostname from UNC path in windows

Esky73 · ‎05-31-2017

i have several SQL servers with logs in different places so i've got a share UNC location so i can deploy inputs.conf with the same config.

\SERVERNAME\Log\appserver_log.txt

my inputs.conf looks like this - the log file is processed - but i can't seem to extract the servername - i've tried host_segment but no

[monitor://\*\Log*]
disabled = false
whitelist = appserver_log.txt
index = test

niketn · ‎06-01-2017

@Esky73, For host_segment have you tried

host_segment=1

Alternatively if you know your servername pattern you can define regex. For ex(you would need to give some anonymized sample server names for exact regular expression):

host_regex=(\w+)\\Log

PS: If you have whitelisted only one log file name why not monitor only that file in the monitor block and remove whitelist?

[monitor://\*\Log\appserver_log.txt]

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

woodcock · ‎06-01-2017

As far as your monitor/whitelist comment, the 2 forms are identical, especially in the sense that internally Splunk converts what you said to what OP said anyways. Strictly speaking OP's way is "better" but your way is "simpler".

Pulling out hostname from UNC path in windows

Get Operational Insights Quickly with Natural Language on the Splunk Platform

What’s New in Splunk Observability Cloud – June 2025

Almost Too Eventful Assurance: Part 2

Are you a member of the Splunk Community?

Pulling out hostname from UNC path in windows

Get Operational Insights Quickly with Natural Language on the Splunk Platform

What’s New in Splunk Observability Cloud – June 2025

Almost Too Eventful Assurance: Part 2