Hi,
I have the below event and I'd like to extract the hostname (ccivirpxa0720) using inputs.conf (never have done this before).
####<Oct 4, 2016 10:01:23 AM EDT> <Warning> <ucontrol> <ccivirpxa0720> <managedServer11> <[ACTIVE] ExecuteThread: '11' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1475589683462> <BEA-000000> <fn.webapp.listener.AuthenticationListener - Authentication event AuthenticationFailureBadCredentialsEvent: gumbo1379; details: RemoteIpAddress: 10.210.192.15; SessionId: 0j2lXz2Tv11pNLL34bq2vtJN1h3SdvqbVnJpBNr7MDMqnc1TBtSJ!1472708347!1475589683460; exception: Bad credential; nested exception is org.springframework.security.BadCredentialsException: Bad credential>
Based on your example event, I'm assuming that you're looking to extract the host name from the event data. If that's true, it's done by props/transforms on Indexer/Heavy forwarder and not in inputs.conf on forwarder.
The Splunk documentation has a page with full details, with example, on what needs to be done to achieve that. Have a look at below link.
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Overridedefaulthostassignments
Based on your example event, I'm assuming that you're looking to extract the host name from the event data. If that's true, it's done by props/transforms on Indexer/Heavy forwarder and not in inputs.conf on forwarder.
The Splunk documentation has a page with full details, with example, on what needs to be done to achieve that. Have a look at below link.
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Overridedefaulthostassignments
Set the event host with the host_segment attribute
The host_segment value overrides the host field with a value that has been extracted from a segment in the path of your data source.
`[monitor://var/log]
host_regex=\ <\w+\d+>`
-Save the inputs.conf file.
-Restart the Splunk instance.
http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Setadefaulthostforaninput