Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Dynamic Hostname based on actual host name + sourcetype

peter_gianusso
Communicator
‎09-17-2012 09:07 AM

Monitoring a directory with a bunch of files in it. Only want the .log files from the directory.

Changing the sourcetype based on the file name.

Now I want to change the hostname based on the file name. I saw an example on Splunkbase and tried using it below unsuccessfully. In the end, based on the file name, I want to assign different values to the hostname.

if the file matches the pattern, CAPPM*.log, then I want the hostname to be HOSTNAME (computer) + the source type from the props.conf (ex. njros1bva0597_SOURCE1)

if the file matches the pattern, ex*.log, then I want the hostname to be HOSTNAME (computer) + the source type from props.conf (ex. njros1bva0597_SOURCE2)

Below is my probably feeble attempt.

inputs.conf
[monitor://\njros1bva0597\d$\LogFiles\W3SVC1]
disabled = 0
host = NJROS1BVA0621ABC
index=imaging
whitelist = .log$

Props.conf
[source::...\CAPPM*.log]
sourcetype = SOURCE1

[source::...\ex*.log]
sourcetype = SOURCE2

[SOURCE2]
TRANSFORMS-hostname = esx_remap_host

transforms.conf
[esx_remap_host]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Host
REGEX = /dir1/dir2/(.+)/ex120110.log
FORMAT = host::$1

0 Karma
Reply

MarioM
Motivator
‎09-17-2012 12:09 PM

have you tried regex on path in inputs.conf with following parameter?

host_regex=
0 Karma
Reply

peter_gianusso
Communicator
‎09-17-2012 12:40 PM

Sorry...Should have stated I wanted to append the source type from the props.conf to the actual host name. The appending of the 2 would be the source name I wanted.

I don't think doing that in inputs.conf will do that because props.conf has not been executed.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...