Getting Data In

Extract Hostname using inputs.conf

dbcase
Motivator

Hi,

I have the below event and I'd like to extract the hostname (ccivirpxa0720) using inputs.conf (never have done this before).

####<Oct 4, 2016 10:01:23 AM EDT> <Warning> <ucontrol> <ccivirpxa0720> <managedServer11> <[ACTIVE] ExecuteThread: '11' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1475589683462> <BEA-000000> <fn.webapp.listener.AuthenticationListener  - Authentication event AuthenticationFailureBadCredentialsEvent: gumbo1379; details: RemoteIpAddress: 10.210.192.15; SessionId: 0j2lXz2Tv11pNLL34bq2vtJN1h3SdvqbVnJpBNr7MDMqnc1TBtSJ!1472708347!1475589683460; exception: Bad credential; nested exception is org.springframework.security.BadCredentialsException: Bad credential> 
0 Karma
1 Solution

somesoni2
Revered Legend

Based on your example event, I'm assuming that you're looking to extract the host name from the event data. If that's true, it's done by props/transforms on Indexer/Heavy forwarder and not in inputs.conf on forwarder.

The Splunk documentation has a page with full details, with example, on what needs to be done to achieve that. Have a look at below link.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Overridedefaulthostassignments

View solution in original post

0 Karma

somesoni2
Revered Legend

Based on your example event, I'm assuming that you're looking to extract the host name from the event data. If that's true, it's done by props/transforms on Indexer/Heavy forwarder and not in inputs.conf on forwarder.

The Splunk documentation has a page with full details, with example, on what needs to be done to achieve that. Have a look at below link.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Overridedefaulthostassignments

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Set the event host with the host_segment attribute
The host_segment value overrides the host field with a value that has been extracted from a segment in the path of your data source.

  1. Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/.
  2. Add a host_segment attribute to a stanza to override the host field with a value that has been extracted from a segment in the path of your data source. For example, if the path to the source is /var/log/ and you want the third segment (the host server name) to be the host value, set host_segment as follows:

`[monitor://var/log]

example - host_regex = /var/log/(\w+)

host_regex=\ <\w+\d+>`

-Save the inputs.conf file.
-Restart the Splunk instance.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Setadefaulthostforaninput

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...