Getting Data In

Help with setting the hostname path on ~200 servers?

FIS1
Explorer

We are pushing out forwarders to over 200 servers this month. I intend to connect the forwarders to a deployment server and then push out the server.conf file using the below setup.

[general]
serverName = $HOSTNAME

Since there are so many servers I do not want to manually set the hostname for each server. This seems to work but when I got to edit the inputs.conf file we have to monitor a server.log file that has the hostname before it.

[monitor:///testarea/host1_server.log]

I have tried setting "host1" to "$HOSTNAME" and "hostname". All which return the actual we are trying to monitor

When doing a ls -ltr on /testarea/$HOSTNAME_server.log it returns /testarea/host1_server.log.

Is Splunk able to do this?

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Why wouldnt you just use a wildcard in your monitor stanza?

[monitor:///testarea/*_server.log]

View solution in original post

ddrillic
Ultra Champion

You can run during the install process something like the following command -

/opt/splunk/splunkforwarder/bin/splunk set default-hostname <host>
0 Karma

jkat54
SplunkTrust
SplunkTrust

Why wouldnt you just use a wildcard in your monitor stanza?

[monitor:///testarea/*_server.log]

View solution in original post

FIS1
Explorer

Thanks jkat54 ... smh not sure why i was thinking i needed to get hostname for that path as that is the only file that ends with _server.log.

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!