Getting Data In

How to persuade file monitor to use a data field as host?

yuanliu
SplunkTrust
SplunkTrust

(I previously asked this in a more vague CSV context.)  I am using file monitor to ingest data from an API that returns JSON.  I have to split the returns into individual files with host name in file path so I can use host_regex to force host field at index time.

Is there an easier way to persuade the monitor so I can write returns into the same file? (There are advantages of writing smaller files.  But there are also disadvantages of writing numerous files and having numerous "sources".)  The last time I tried with CSV, setting a field with name "host" doesn't seem to be much of a persuasion, as the indexer renamed "host" field as "detected_host" with that value, instead of setting "host" directly to the source "host" value.

With JSON, the "host" field value is coalesced into indexed "host" field as a second value (whether the value is the same as the "other"/"default" value or not).  Multivalue "host" can be an even bigger problem if the original JSON happens to contain a field named "host". (Not in the APIs that I am testing but there could be.)

Or is this caused by something wrong with my test method?

Labels (4)
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>