Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

inputs.conf segment setting

plumainwfs
New Member
‎03-12-2017 09:53 AM

Not sure why the hostname for the monitor stanza below is not being parsed out...

directory is as follows:
/mnt/log/files/2017/month/day/HOSTNAME/auth.logs

i would have thought by adding a stanza segment=7 will pull the following hostnames: servera, serverb, serverc... and so forth.

[monitor:///mnt/log/files/2017/03/(05|06|07|08|09)/.../auth.log.gz]
whitelist=servera|serverb|serverc|serverd|servere|serverf
segment=7
index=temp
sourcetype=nix:auth

Not sure what do I have to change here to get this to have the hostname, instead it is pulling the hostname for the local logserver.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎03-12-2017 10:24 AM

Its called host_segment not segment...

from inputs.conf:

host_segment = <integer>
* If set to N, the Nth "/"-separated segment of the path is set as host. If
  host_segment=3, for example, the third segment is used.
* If the value is not an integer or is less than 1, the default "host ="
  setting is used.
* Defaults to unset.
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-18-2019 05:21 AM

@plumainwfs can you come back to this answer and let us know if it solves your problem by accepting an answer or adding more details?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...