Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dynamic Hostname based on actual host name + sourcetype

peter_gianusso
Communicator
‎09-17-2012 09:07 AM

Monitoring a directory with a bunch of files in it. Only want the .log files from the directory.

Changing the sourcetype based on the file name.

Now I want to change the hostname based on the file name. I saw an example on Splunkbase and tried using it below unsuccessfully. In the end, based on the file name, I want to assign different values to the hostname.

if the file matches the pattern, CAPPM*.log, then I want the hostname to be HOSTNAME (computer) + the source type from the props.conf (ex. njros1bva0597_SOURCE1)

if the file matches the pattern, ex*.log, then I want the hostname to be HOSTNAME (computer) + the source type from props.conf (ex. njros1bva0597_SOURCE2)

Below is my probably feeble attempt.

inputs.conf
[monitor://\njros1bva0597\d$\LogFiles\W3SVC1]
disabled = 0
host = NJROS1BVA0621ABC
index=imaging
whitelist = .log$

Props.conf
[source::...\CAPPM*.log]
sourcetype = SOURCE1

[source::...\ex*.log]
sourcetype = SOURCE2

[SOURCE2]
TRANSFORMS-hostname = esx_remap_host

transforms.conf
[esx_remap_host]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Host
REGEX = /dir1/dir2/(.+)/ex120110.log
FORMAT = host::$1

0 Karma
Reply

MarioM
Motivator
‎09-17-2012 12:09 PM

have you tried regex on path in inputs.conf with following parameter?

host_regex=
0 Karma
Reply

peter_gianusso
Communicator
‎09-17-2012 12:40 PM

Sorry...Should have stated I wanted to append the source type from the props.conf to the actual host name. The appending of the 2 would be the source name I wanted.

I don't think doing that in inputs.conf will do that because props.conf has not been executed.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...