Getting Data In

Can I dynamically set the default host value using a Universal Forwarder?

psyched4splunk
Explorer

I'm using host_regex on a Universal Forwarder.

inputs.conf

[monitor:///app/splunkforwarder/logs/containername/*.log]
interval = 1800
host_regex = \/app\/splunkforwarder\/logs\/(.*?)\/*.log

From my understanding this should set container name as the host_regex.
However this isn't working, what am I doing wrong and how can I fix it?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi psyched4splunk,
let me understand: you want to dinamically set the hostname based on the "containername" part of the pa, is it correct?
if this is your need you have to add to the monitor stanza in inputs.conf, the following option:

host_segment = 4

in this way you dinamically set the hostname as the 4th part of the path.
You can find more information at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Bye.
Giuseppe

View solution in original post

kgderrekchapin
Path Finder

See if this helps you at alll.

host_regex = \/app\/splunkforwarder\/logs\/(\w+)\/\w+.log$

Unless there are special characters in your path this should capture the containername. I believe your regex was erroring because of the *.log.

(I could be wrong. Hopefully this helps)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi psyched4splunk,
let me understand: you want to dinamically set the hostname based on the "containername" part of the pa, is it correct?
if this is your need you have to add to the monitor stanza in inputs.conf, the following option:

host_segment = 4

in this way you dinamically set the hostname as the 4th part of the path.
You can find more information at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Bye.
Giuseppe

psyched4splunk
Explorer

Yes that's correct.
However a more important part of my question is if setting host_segment and host_regex is dependent on the forwarder?
Can I dynamically set the host on a universal forwarder or no?
I haven't found a clear answer to this question.
I ask because I'm trying to do it on the Universal Forward and it's not working for me as I've included my inputs.conf above.

0 Karma

kgderrekchapin
Path Finder

Where are you trying to set the hostname at?

The host that has the UF installed on it.

Or the inputs.conf from the deployed app on the UF. (this will set the hostname for the logs ingested by the input.conf stanza)

0 Karma

psyched4splunk
Explorer

The host that has the UF installed on it.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi psyched4splunk,

if you want to dinamically set the hostname for your logs based on a segment of the path of your logs you can do it, it doesn't depends on the forwarder: the host_segment depends on the input you have to ingest, not on the forwarder.
In other words, you have to configure an input.conf for your logs, setting the correct host_segment for every monitor stanza (eventually more than one) and then deploy it on your forwarders manually or (better) using a Deployment Server.

When you say the "it's not working for me", what do you mean? can you describe more your situation?

As you can read at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf , the hostname id defined by default when the Forwarder is installed, then it's possible to set a different hostname in each stanza of your inputs.conf file using different options (host=, host_segment=, host_regex=) so the most important thing is to clearly define your needs and set them in inputs.conf, then deploy (manually or using a Deployment Server) your app containing your inputs.conf to each forwarder.

Bye.
Giuseppe

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...