Splunk Dev

Pulling out hostname from UNC path in windows

Esky73
Builder

i have several SQL servers with logs in different places so i've got a share UNC location so i can deploy inputs.conf with the same config.

\SERVERNAME\Log\appserver_log.txt

my inputs.conf looks like this - the log file is processed - but i can't seem to extract the servername - i've tried host_segment but no

[monitor://\*\Log*]
disabled = false
whitelist = appserver_log.txt
index = test

Tags (1)
0 Karma

niketn
Legend

@Esky73, For host_segment have you tried

host_segment=1

Alternatively if you know your servername pattern you can define regex. For ex(you would need to give some anonymized sample server names for exact regular expression):

host_regex=(\w+)\\Log

PS: If you have whitelisted only one log file name why not monitor only that file in the monitor block and remove whitelist?

[monitor://\*\Log\appserver_log.txt]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

woodcock
Esteemed Legend

As far as your monitor/whitelist comment, the 2 forms are identical, especially in the sense that internally Splunk converts what you said to what OP said anyways. Strictly speaking OP's way is "better" but your way is "simpler".

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...