Hi there,
I need to re-index some data. In inputs.conf, host_segment parameter is configured as follows:
host_segment = 3
And I issued the following add oneshot command after deleting indexes using "| delete" command:
splunk add oneshot "/path/to/host1/file" -index myidx -sourcetype mytype splunk add oneshot "/path/to/host2/file" -index myidx -sourcetype mytype splunk add oneshot "/path/to/host3/file" -index myidx -sourcetype mytype
However, I got the following result:
splunk search '* | top host'
host count percent ------ ------ ---------- myhost 5 100.000000
myhost is hostname of splunk server. I expected host1, host2 and host3 in the result.
Could anyone help me retrieve host value using host_segment?
Thanks!
Seems to me if you're putting this in a script and you have the source or file name, it should not be that hard to get the correct host value and that as the argument to the -host
option, e.g.
for fn in `cat filelist.txt` ; do
h=`echo $i | awk -F/ '{print $4}'`
oneshot $i -host $h -index myidx -sourcetype mytype
done
Seems to me if you're putting this in a script and you have the source or file name, it should not be that hard to get the correct host value and that as the argument to the -host
option, e.g.
for fn in `cat filelist.txt` ; do
h=`echo $i | awk -F/ '{print $4}'`
oneshot $i -host $h -index myidx -sourcetype mytype
done
Yes, we support -host_segment option. We just need to add it in our doc and command help.
Quick confirmation, do you know if using add oneshot with -host_segment option is supported operation by splunk?
This doesn't seem to have anything to do with host_segment
After deleting and reindexing the same file, it takes some time to get the reindexed data to show up in the search result. Target file contains about 10 lines, and the number of them is 5.
What do you mean by "right result"? how big are the files? how many are there?
yes, you are right. However, even with -host, it takes about 10 minutes to get the right result. Is it expected behavior? I thought data was indexed right after oneshot command issued.
I issued the following,
splunk add oneshot "/path/to/host1/file" -index myidx -sourcetype mytype -host_segment 3
I didn't get the result immediately, but I could get correct result after 5 or 6 minutes. Is this expected behaivior?
I would appreciate if anyone could also comment on this.