Getting Data In

Extract Hostname using inputs.conf

dbcase
Motivator

Hi,

I have the below event and I'd like to extract the hostname (ccivirpxa0720) using inputs.conf (never have done this before).

####<Oct 4, 2016 10:01:23 AM EDT> <Warning> <ucontrol> <ccivirpxa0720> <managedServer11> <[ACTIVE] ExecuteThread: '11' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1475589683462> <BEA-000000> <fn.webapp.listener.AuthenticationListener  - Authentication event AuthenticationFailureBadCredentialsEvent: gumbo1379; details: RemoteIpAddress: 10.210.192.15; SessionId: 0j2lXz2Tv11pNLL34bq2vtJN1h3SdvqbVnJpBNr7MDMqnc1TBtSJ!1472708347!1475589683460; exception: Bad credential; nested exception is org.springframework.security.BadCredentialsException: Bad credential> 
0 Karma
1 Solution

somesoni2
Revered Legend

Based on your example event, I'm assuming that you're looking to extract the host name from the event data. If that's true, it's done by props/transforms on Indexer/Heavy forwarder and not in inputs.conf on forwarder.

The Splunk documentation has a page with full details, with example, on what needs to be done to achieve that. Have a look at below link.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Overridedefaulthostassignments

View solution in original post

0 Karma

somesoni2
Revered Legend

Based on your example event, I'm assuming that you're looking to extract the host name from the event data. If that's true, it's done by props/transforms on Indexer/Heavy forwarder and not in inputs.conf on forwarder.

The Splunk documentation has a page with full details, with example, on what needs to be done to achieve that. Have a look at below link.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Overridedefaulthostassignments

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Set the event host with the host_segment attribute
The host_segment value overrides the host field with a value that has been extracted from a segment in the path of your data source.

  1. Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/.
  2. Add a host_segment attribute to a stanza to override the host field with a value that has been extracted from a segment in the path of your data source. For example, if the path to the source is /var/log/ and you want the third segment (the host server name) to be the host value, set host_segment as follows:

`[monitor://var/log]

example - host_regex = /var/log/(\w+)

host_regex=\ <\w+\d+>`

-Save the inputs.conf file.
-Restart the Splunk instance.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Setadefaulthostforaninput

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...