Solved: How to monitor a file that includes the hostname o...

atownson · ‎11-05-2019

We have a set of servers defined within a server class using a deployment server. The deployment apps include an inputs.conf for each server within the class. One file we're monitoring includes the hostname of the local machine. How do you resolve the hostname inside the inputs.conf? I would assume it would be a variable or token but not sure what.

Example:
ServerA => [monitor:///path/to/file/ServerA.xml]
ServerB => [monitor:///path/to/file/ServerB.xml]

I did find a similar question or two in answers but did not find an appropriate resolution.

woodcock · ‎11-05-2019

The way to do this is to use some other tool like tanium to run a 1-time script that creates a soft link to the proper file and put it by itself and monitor that. Something like this:

mkdir -p /path/to/file/forsplunk/
ln -fs /path/to/file/${hostname}.xml /path/to/file/forsplunk/somestaticname.xml

Then use:

[monitor:///path/to/file/somestaticname.xml]

View solution in original post

woodcock · ‎11-05-2019

The way to do this is to use some other tool like tanium to run a 1-time script that creates a soft link to the proper file and put it by itself and monitor that. Something like this:

mkdir -p /path/to/file/forsplunk/
ln -fs /path/to/file/${hostname}.xml /path/to/file/forsplunk/somestaticname.xml

Then use:

[monitor:///path/to/file/somestaticname.xml]

atownson · ‎11-06-2019

This seems like a viable workaround. Thank you.

atownson · ‎11-07-2019

FYI, for users monitoring the file based on modified time this solution will not work because the softlink's modified time is not updated in tandem with the target's modified time.

atownson · ‎11-05-2019

A quick note: we need to index exactly [hostname].xml. There are other XMLs that could be in the dir that we do not want indexed and there's no required pattern for the hostname.

marycordova · ‎11-05-2019

Are you just trying to set the path for the inputs including the hostname such as "ServerA"?

If so then just use a wildcard in the stanza:https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf?utm_source=answers&utm_medium=i...

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored inputs. Use
  "..." for recursive directory matching and "*" for wildcard matching in a
  single directory segment.
* "..." recurses through directories. This means that /foo/.../bar matches
  foo/1/bar, foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path. For
  example: /foo/.../bar/...
* The asterisk (*) matches anything in a single path segment; unlike "...", it
  does not recurse. For example, /foo/*/bar matches the files
  /foo/1/bar, /foo/2/bar, etc. However, it does not match
  /foo/bar or /foo/1/2/bar.
  A second example: /foo/m*r/bar matches /foo/mr/bar, /foo/mir/bar,
  /foo/moor/bar, etc. It does not match /foo/mi/or/bar.
* You can combine "*" and "..." as needed: foo/.../bar/* matches any file in
  the bar directory within the specified path.

@marycordova

atownson · ‎11-05-2019

There are other files that would/could match the wildcard pattern that we would not want to index. We're currently using the wildcard method and it's indexing files we don't want. So specifically we need to monitor for [hostname].xml.

How to monitor a file that includes the hostname of the machine and access local hostname in inputs.conf

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk