Solved: host name extraction during data upload

ugoetzen_splunk · ‎07-11-2017

Just trying to manually add data with different host names in the logs. (with the "add data wizard")
What is the best way to extract the host names during the import? (nobud02, appplusf13,...)

Sample data looks like this:
{"host":"nobud02","ident":"dockerd-current","message":"time=\"2017-06-12T18:00:00.745384875+02:00\" level=error msg=\"Handler for POST /containers/weaveproxy/exec returned error: No such container: weaveproxy\"","log_time":"2017-06-12T16:00:00Z"}
{"host":"appplusf13","ident":"systemd","message":"Created slice user-0.slice.","log_time":"2017-06-12T16:00:01Z"}
{"host":"appngu51","ident":"systemd","message":"Created slice user-0.slice.","log_time":"2017-06-12T16:00:01Z"}
{"host":"delme-20170530-rs1","ident":"systemd","message":"Started Session 2594 of user root.","log_time":"2017-06-12T16:00:01Z"}

Thanks in advance.

somesoni2 · ‎07-11-2017

YOu'd need to setup props/transforms to override host from raw data. See this for reference.

https://answers.splunk.com/answers/409734/unable-to-override-host-value-using-regex.html

View solution in original post

somesoni2 · ‎07-11-2017

YOu'd need to setup props/transforms to override host from raw data. See this for reference.

https://answers.splunk.com/answers/409734/unable-to-override-host-value-using-regex.html

skoelpin · ‎07-11-2017

You're looking for host_segment

If set to N, the Nth "/"-separated segment of the path is set as host. If
  host_segment=3, for example, the third segment is used.

https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Inputsconf

richgalloway · ‎07-11-2017

I believe host_segment refers to the file path of the data source, not the data itself.

---
If this reply helps you, Karma would be appreciated.

host name extraction during data upload

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake