I am using a host segment to set a 'hostname' (we have multiple hosts on one box) as set out below:
[monitor://c:\logs\node-21\*.log]
host_segment = 2
index = node_logs
sourcetype = node_logs
I would like to see my other 'hostname' and the ip address. The reason being I may need to move these 'hosts' between machines so it would be good to know the ip address they came from.
Has anyone got this kind of setup or have any good ideas?
Regards
Andy
You are only monitoring the 'node-21' directory for log files, thus, host_segment=2
will always be 'node-21'. Wildcards can be used to monitor more directories. See below.
Do you by 'ip-address of the host server' mean the physical machine where the nodes are running, and where the log file directories are created/stored. If so, perhaps the easiest way would be to change the logging directory, so that this piece of information gets stored in the source
field, i.e.
[monitor://c:\logs\server_a\node*\*.log]
host_segment=3
index=node_logs
sourcetype=node_logs
The source
field is present in all events, and can then be used to see from where an event originated.
OR
You could do the opposite - remove the host_segment
configuration, so that all events will have the host
value set to the physical machine. Then you can use the source
field to find out which node an event came from.
OR
you can just set the value of source
in inputs.conf to any string you like, even though the general recommendation is to let it be.
For more information, see;
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
/K
You are only monitoring the 'node-21' directory for log files, thus, host_segment=2
will always be 'node-21'. Wildcards can be used to monitor more directories. See below.
Do you by 'ip-address of the host server' mean the physical machine where the nodes are running, and where the log file directories are created/stored. If so, perhaps the easiest way would be to change the logging directory, so that this piece of information gets stored in the source
field, i.e.
[monitor://c:\logs\server_a\node*\*.log]
host_segment=3
index=node_logs
sourcetype=node_logs
The source
field is present in all events, and can then be used to see from where an event originated.
OR
You could do the opposite - remove the host_segment
configuration, so that all events will have the host
value set to the physical machine. Then you can use the source
field to find out which node an event came from.
OR
you can just set the value of source
in inputs.conf to any string you like, even though the general recommendation is to let it be.
For more information, see;
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
/K
Hi Kristian,
I went with the source option in the end. I removed the host_segment config from the UF and then did an extract within PROPS.conf to create an extra field called 'node'.
Thanks for your input, really helpful.
Regards
Andy
Hi,
Well for option one, you would add an extra piece of info to the source
, namely the physical host, by having that in the path to the log file directory. No information lost.
For option two, you would still not lose info. The physical host would be found in the host
and the logical node in the source
for each event.
Option three is just a refined version of option two.
Hi Kristian,
No the directory is changing (see last response) this is why I used the host_segment. I would like to add the ip address of the physical host server to the events, ideally I don't want to change the source as the filenames contain useful information.
Regards
Andy
Hi kristian,
I want to see node-21 or node-23 or whatever happens to be in the directory portion as the 'hostname', I do not really care about the physical hostname of the server. I would like to see the ip addresses of the host server as these nodes may need to be moved to a different server at times and I would like a way of tracking which server the nodes were on at any one time.
Hope that makes sense.
Hm.. not sure I fully understand. With your current configuration the host
field will be set to 'node-21' at all times. Is that really what you want?
By "other hostname", do you mean the physical box where the logs are stored?