Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

host name from log file

indeed_2000
Motivator
‎04-26-2020 10:32 AM

hi i have lot's of log file that start with this line for each log
********** LOGFILE FOR SERVER 'host22', AT THE DAY OF : 2020/04/25 **********

now how can i set host name for each log,
expected host name: host22

FYI: all log files copy manually from each server daily, and not use forwarder in this scenario.
all loge copy in /opt like below, and splunk continuously index this path:
log1
log2
log3
...

any recommendation?
Thanks

0 Karma
Reply

to4kawa
Ultra Champion
‎04-26-2020 12:45 PM

transforms.conf

try INGEST_EVAL or DEST_KEY = MetaData:Host

0 Karma
Reply

indeed_2000
Motivator
‎04-26-2020 03:33 PM

You mean i should use something like this?

Override host:
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = ^[^'\n]*'(?P\w+)
FORMAT = host::$1

0 Karma
Reply

to4kawa
Ultra Champion
‎04-27-2020 02:03 AM

yes, Don't forget props.conf.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...