Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract Hostname using inputs.conf

dbcase
Motivator
‎10-04-2016 08:15 AM

Hi,

I have the below event and I'd like to extract the hostname (ccivirpxa0720) using inputs.conf (never have done this before).

####<Oct 4, 2016 10:01:23 AM EDT> <Warning> <ucontrol> <ccivirpxa0720> <managedServer11> <[ACTIVE] ExecuteThread: '11' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1475589683462> <BEA-000000> <fn.webapp.listener.AuthenticationListener  - Authentication event AuthenticationFailureBadCredentialsEvent: gumbo1379; details: RemoteIpAddress: 10.210.192.15; SessionId: 0j2lXz2Tv11pNLL34bq2vtJN1h3SdvqbVnJpBNr7MDMqnc1TBtSJ!1472708347!1475589683460; exception: Bad credential; nested exception is org.springframework.security.BadCredentialsException: Bad credential>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-04-2016 09:15 AM

Based on your example event, I'm assuming that you're looking to extract the host name from the event data. If that's true, it's done by props/transforms on Indexer/Heavy forwarder and not in inputs.conf on forwarder.

The Splunk documentation has a page with full details, with example, on what needs to be done to achieve that. Have a look at below link.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Overridedefaulthostassignments

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-04-2016 09:15 AM

Based on your example event, I'm assuming that you're looking to extract the host name from the event data. If that's true, it's done by props/transforms on Indexer/Heavy forwarder and not in inputs.conf on forwarder.

The Splunk documentation has a page with full details, with example, on what needs to be done to achieve that. Have a look at below link.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Overridedefaulthostassignments

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-04-2016 08:23 AM

Set the event host with the host_segment attribute
The host_segment value overrides the host field with a value that has been extracted from a segment in the path of your data source.

  1. Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/.
  2. Add a host_segment attribute to a stanza to override the host field with a value that has been extracted from a segment in the path of your data source. For example, if the path to the source is /var/log/ and you want the third segment (the host server name) to be the host value, set host_segment as follows:

`[monitor://var/log]

example - host_regex = /var/log/(\w+)

host_regex=\ <\w+\d+>`

-Save the inputs.conf file.
-Restart the Splunk instance.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Setadefaulthostforaninput

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...