Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

host name from log file

indeed_2000
Motivator
‎04-26-2020 10:32 AM

hi i have lot's of log file that start with this line for each log
********** LOGFILE FOR SERVER 'host22', AT THE DAY OF : 2020/04/25 **********

now how can i set host name for each log,
expected host name: host22

FYI: all log files copy manually from each server daily, and not use forwarder in this scenario.
all loge copy in /opt like below, and splunk continuously index this path:
log1
log2
log3
...

any recommendation?
Thanks

0 Karma
Reply

to4kawa
Ultra Champion
‎04-26-2020 12:45 PM

transforms.conf

try INGEST_EVAL or DEST_KEY = MetaData:Host

0 Karma
Reply

indeed_2000
Motivator
‎04-26-2020 03:33 PM

You mean i should use something like this?

Override host:
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = ^[^'\n]*'(?P\w+)
FORMAT = host::$1

0 Karma
Reply

to4kawa
Ultra Champion
‎04-27-2020 02:03 AM

yes, Don't forget props.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...