Splunk Dev

Pulling out hostname from UNC path in windows

Esky73
Builder

i have several SQL servers with logs in different places so i've got a share UNC location so i can deploy inputs.conf with the same config.

\SERVERNAME\Log\appserver_log.txt

my inputs.conf looks like this - the log file is processed - but i can't seem to extract the servername - i've tried host_segment but no

[monitor://\*\Log*]
disabled = false
whitelist = appserver_log.txt
index = test

Tags (1)
0 Karma

niketn
Legend

@Esky73, For host_segment have you tried

host_segment=1

Alternatively if you know your servername pattern you can define regex. For ex(you would need to give some anonymized sample server names for exact regular expression):

host_regex=(\w+)\\Log

PS: If you have whitelisted only one log file name why not monitor only that file in the monitor block and remove whitelist?

[monitor://\*\Log\appserver_log.txt]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

woodcock
Esteemed Legend

As far as your monitor/whitelist comment, the 2 forms are identical, especially in the sense that internally Splunk converts what you said to what OP said anyways. Strictly speaking OP's way is "better" but your way is "simpler".

0 Karma
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...