Getting Data In

host name from log file

mehrdad_2000
Path Finder

hi i have lot's of log file that start with this line for each log
********** LOGFILE FOR SERVER 'host22', AT THE DAY OF : 2020/04/25 **********

now how can i set host name for each log,
expected host name: host22

FYI: all log files copy manually from each server daily, and not use forwarder in this scenario.
all loge copy in /opt like below, and splunk continuously index this path:
log1
log2
log3
...

any recommendation?
Thanks

0 Karma

to4kawa
SplunkTrust
SplunkTrust

transforms.conf

try INGEST_EVAL or DEST_KEY = MetaData:Host

0 Karma

mehrdad_2000
Path Finder

You mean i should use something like this?

Override host:
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = ^[^'\n]*'(?P\w+)
FORMAT = host::$1

0 Karma

to4kawa
SplunkTrust
SplunkTrust

yes, Don't forget props.conf.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!