I'm using host_regex on a Universal Forwarder.
inputs.conf
[monitor:///app/splunkforwarder/logs/containername/*.log] interval = 1800 host_regex = \/app\/splunkforwarder\/logs\/(.*?)\/*.log
From my understanding this should set container name as the host_regex.
However this isn't working, what am I doing wrong and how can I fix it?
Hi psyched4splunk,
let me understand: you want to dinamically set the hostname based on the "containername" part of the pa, is it correct?
if this is your need you have to add to the monitor stanza in inputs.conf, the following option:
host_segment = 4
in this way you dinamically set the hostname as the 4th part of the path.
You can find more information at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
Bye.
Giuseppe
See if this helps you at alll.
host_regex = \/app\/splunkforwarder\/logs\/(\w+)\/\w+.log$
Unless there are special characters in your path this should capture the containername. I believe your regex was erroring because of the *.log.
(I could be wrong. Hopefully this helps)
Hi psyched4splunk,
let me understand: you want to dinamically set the hostname based on the "containername" part of the pa, is it correct?
if this is your need you have to add to the monitor stanza in inputs.conf, the following option:
host_segment = 4
in this way you dinamically set the hostname as the 4th part of the path.
You can find more information at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
Bye.
Giuseppe
Yes that's correct.
However a more important part of my question is if setting host_segment and host_regex is dependent on the forwarder?
Can I dynamically set the host on a universal forwarder or no?
I haven't found a clear answer to this question.
I ask because I'm trying to do it on the Universal Forward and it's not working for me as I've included my inputs.conf above.
Where are you trying to set the hostname at?
The host that has the UF installed on it.
Or the inputs.conf from the deployed app on the UF. (this will set the hostname for the logs ingested by the input.conf stanza)
The host that has the UF installed on it.
Hi psyched4splunk,
if you want to dinamically set the hostname for your logs based on a segment of the path of your logs you can do it, it doesn't depends on the forwarder: the host_segment depends on the input you have to ingest, not on the forwarder.
In other words, you have to configure an input.conf for your logs, setting the correct host_segment for every monitor stanza (eventually more than one) and then deploy it on your forwarders manually or (better) using a Deployment Server.
When you say the "it's not working for me", what do you mean? can you describe more your situation?
As you can read at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf , the hostname id defined by default when the Forwarder is installed, then it's possible to set a different hostname in each stanza of your inputs.conf file using different options (host=, host_segment=, host_regex=) so the most important thing is to clearly define your needs and set them in inputs.conf, then deploy (manually or using a Deployment Server) your app containing your inputs.conf to each forwarder.
Bye.
Giuseppe