Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

host name from log file

indeed_2000
Motivator
‎04-26-2020 10:32 AM

hi i have lot's of log file that start with this line for each log
********** LOGFILE FOR SERVER 'host22', AT THE DAY OF : 2020/04/25 **********

now how can i set host name for each log,
expected host name: host22

FYI: all log files copy manually from each server daily, and not use forwarder in this scenario.
all loge copy in /opt like below, and splunk continuously index this path:
log1
log2
log3
...

any recommendation?
Thanks

0 Karma
Reply

to4kawa
Ultra Champion
‎04-26-2020 12:45 PM

transforms.conf

try INGEST_EVAL or DEST_KEY = MetaData:Host

0 Karma
Reply

indeed_2000
Motivator
‎04-26-2020 03:33 PM

You mean i should use something like this?

Override host:
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = ^[^'\n]*'(?P\w+)
FORMAT = host::$1

0 Karma
Reply

to4kawa
Ultra Champion
‎04-27-2020 02:03 AM

yes, Don't forget props.conf.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

How Edge Processor's Durable Queue Works

Edge Processor sits in one of the most consequential places in any Splunk pipeline: between your data sources ...