Re: During import CSV, how do I use a host_segment...

pmorlon · ‎09-19-2018

Hi,

I import a CSV file like this one :

date;host;type
18/09/18 10:23:50;SERV1;file
18/09/18 10:23:52;SERV2;serv
18/09/18 10:24:50;SERV3;file
18/09/18 10:30:50;SERV4;file
18/09/18 10:33:50;SERV5;file
18/09/18 10:33:55;SERV6;computer

Detected like this :

I try segment number : 2

But at the end, I have
extracted_host = SERVX <- It is ok
host = 127.0.0.1 <- All the line have the same host : 127.0.0.1

Is this normal ? And how could I have host valer with the name of the computer list in the CSV ?

richgalloway · ‎09-19-2018

"Segment number" refers to a portion of the source's file path. If the source is "http://127.0.0.1/foo/bar" then segment 2 would be correctly set to "127.0.0.1".
What result do you expect? Perhaps we can help you achieve that result.

---
If this reply helps you, Karma would be appreciated.

pmorlon · ‎09-19-2018

Thank Richgalloway for your answer.

I have this result :

And i want to have in the Host the same result that extracted_host : SERVX

Is it possible ?

pmorlon · ‎09-19-2018

The picture was not include : https://ibb.co/gFwCGe

richgalloway · ‎09-19-2018

Assignment of host name is done before lookups.

---
If this reply helps you, Karma would be appreciated.

pmorlon · ‎09-19-2018

Ok so it is not possible.
Thanks for the information.

During import CSV, how do I use a host_segment attribute to extract a host name?

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability