Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Can I dynamically set the default host value using a Universal Forwarder?

psyched4splunk
Explorer
‎07-16-2019 08:28 AM

I'm using host_regex on a Universal Forwarder.

inputs.conf

[monitor:///app/splunkforwarder/logs/containername/*.log]
interval = 1800
host_regex = \/app\/splunkforwarder\/logs\/(.*?)\/*.log

From my understanding this should set container name as the host_regex.
However this isn't working, what am I doing wrong and how can I fix it?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-16-2019 09:37 AM

Hi psyched4splunk,
let me understand: you want to dinamically set the hostname based on the "containername" part of the pa, is it correct?
if this is your need you have to add to the monitor stanza in inputs.conf, the following option:

host_segment = 4

in this way you dinamically set the hostname as the 4th part of the path.
You can find more information at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

kgderrekchapin
Path Finder
‎07-16-2019 09:38 AM

See if this helps you at alll.

host_regex = \/app\/splunkforwarder\/logs\/(\w+)\/\w+.log$

Unless there are special characters in your path this should capture the containername. I believe your regex was erroring because of the *.log.

(I could be wrong. Hopefully this helps)

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-16-2019 09:37 AM

Hi psyched4splunk,
let me understand: you want to dinamically set the hostname based on the "containername" part of the pa, is it correct?
if this is your need you have to add to the monitor stanza in inputs.conf, the following option:

host_segment = 4

in this way you dinamically set the hostname as the 4th part of the path.
You can find more information at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Bye.
Giuseppe

Reply
Solved! Jump to solution

psyched4splunk
Explorer
‎07-16-2019 10:08 AM

Yes that's correct.
However a more important part of my question is if setting host_segment and host_regex is dependent on the forwarder?
Can I dynamically set the host on a universal forwarder or no?
I haven't found a clear answer to this question.
I ask because I'm trying to do it on the Universal Forward and it's not working for me as I've included my inputs.conf above.

0 Karma
Reply
Solved! Jump to solution

kgderrekchapin
Path Finder
‎07-16-2019 10:15 AM

Where are you trying to set the hostname at?

The host that has the UF installed on it.

Or the inputs.conf from the deployed app on the UF. (this will set the hostname for the logs ingested by the input.conf stanza)

0 Karma
Reply
Solved! Jump to solution

psyched4splunk
Explorer
‎07-16-2019 12:29 PM

The host that has the UF installed on it.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-17-2019 12:28 AM

Hi psyched4splunk,

if you want to dinamically set the hostname for your logs based on a segment of the path of your logs you can do it, it doesn't depends on the forwarder: the host_segment depends on the input you have to ingest, not on the forwarder.
In other words, you have to configure an input.conf for your logs, setting the correct host_segment for every monitor stanza (eventually more than one) and then deploy it on your forwarders manually or (better) using a Deployment Server.

When you say the "it's not working for me", what do you mean? can you describe more your situation?

As you can read at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf , the hostname id defined by default when the Forwarder is installed, then it's possible to set a different hostname in each stanza of your inputs.conf file using different options (host=, host_segment=, host_regex=) so the most important thing is to clearly define your needs and set them in inputs.conf, then deploy (manually or using a Deployment Server) your app containing your inputs.conf to each forwarder.

Bye.
Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...