Archive
Highlighted

add oneshot with host segment

Motivator

Hi there,

I need to re-index some data. In inputs.conf, host_segment parameter is configured as follows:

host_segment = 3

And I issued the following add oneshot command after deleting indexes using "| delete" command:

splunk add oneshot "/path/to/host1/file" -index myidx -sourcetype mytype
splunk add oneshot "/path/to/host2/file" -index myidx -sourcetype mytype
splunk add oneshot "/path/to/host3/file" -index myidx -sourcetype mytype

However, I got the following result:

splunk search '* | top host'

host    count    percent
------ ------ ----------
myhost      5 100.000000

myhost is hostname of splunk server. I expected host1, host2 and host3 in the result.

Could anyone help me retrieve host value using host_segment?

Thanks!

Tags (2)
Highlighted

Re: add oneshot with host segment

Motivator

I issued the following,

splunk add oneshot "/path/to/host1/file" -index myidx -sourcetype mytype -host_segment 3

I didn't get the result immediately, but I could get correct result after 5 or 6 minutes. Is this expected behaivior?
I would appreciate if anyone could also comment on this.

0 Karma
Highlighted

Re: add oneshot with host segment

Splunk Employee
Splunk Employee

Seems to me if you're putting this in a script and you have the source or file name, it should not be that hard to get the correct host value and that as the argument to the -host option, e.g.

for fn in `cat filelist.txt` ; do
  h=`echo $i | awk -F/ '{print $4}'`
  oneshot $i -host $h -index myidx -sourcetype mytype
done

View solution in original post

Highlighted

Re: add oneshot with host segment

Motivator

yes, you are right. However, even with -host, it takes about 10 minutes to get the right result. Is it expected behavior? I thought data was indexed right after oneshot command issued.

0 Karma
Highlighted

Re: add oneshot with host segment

Splunk Employee
Splunk Employee

What do you mean by "right result"? how big are the files? how many are there?

0 Karma
Highlighted

Re: add oneshot with host segment

Motivator

After deleting and reindexing the same file, it takes some time to get the reindexed data to show up in the search result. Target file contains about 10 lines, and the number of them is 5.

0 Karma
Highlighted

Re: add oneshot with host segment

Splunk Employee
Splunk Employee

This doesn't seem to have anything to do with host_segment

0 Karma
Highlighted

Re: add oneshot with host segment

Motivator

Quick confirmation, do you know if using add oneshot with -host_segment option is supported operation by splunk?

0 Karma
Highlighted

Re: add oneshot with host segment

Splunk Employee
Splunk Employee

Yes, we support -host_segment option. We just need to add it in our doc and command help.

0 Karma