Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dynamic Hostname based on actual host name + sourcetype

peter_gianusso
Communicator
‎09-17-2012 09:07 AM

Monitoring a directory with a bunch of files in it. Only want the .log files from the directory.

Changing the sourcetype based on the file name.

Now I want to change the hostname based on the file name. I saw an example on Splunkbase and tried using it below unsuccessfully. In the end, based on the file name, I want to assign different values to the hostname.

if the file matches the pattern, CAPPM*.log, then I want the hostname to be HOSTNAME (computer) + the source type from the props.conf (ex. njros1bva0597_SOURCE1)

if the file matches the pattern, ex*.log, then I want the hostname to be HOSTNAME (computer) + the source type from props.conf (ex. njros1bva0597_SOURCE2)

Below is my probably feeble attempt.

inputs.conf
[monitor://\njros1bva0597\d$\LogFiles\W3SVC1]
disabled = 0
host = NJROS1BVA0621ABC
index=imaging
whitelist = .log$

Props.conf
[source::...\CAPPM*.log]
sourcetype = SOURCE1

[source::...\ex*.log]
sourcetype = SOURCE2

[SOURCE2]
TRANSFORMS-hostname = esx_remap_host

transforms.conf
[esx_remap_host]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Host
REGEX = /dir1/dir2/(.+)/ex120110.log
FORMAT = host::$1

0 Karma
Reply

MarioM
Motivator
‎09-17-2012 12:09 PM

have you tried regex on path in inputs.conf with following parameter?

host_regex=
0 Karma
Reply

peter_gianusso
Communicator
‎09-17-2012 12:40 PM

Sorry...Should have stated I wanted to append the source type from the props.conf to the actual host name. The appending of the 2 would be the source name I wanted.

I don't think doing that in inputs.conf will do that because props.conf has not been executed.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...