Solved: transform hostname based on log filename?

stwong · ‎02-02-2017

Hi, we're going to monitor following files on a host with universal forwarder installed:

/data/asav/gw1new/log1.gz
/data/asav/gw2new/log1.gz
/data/asav/gw3new/log1.gz

Since there is no hostname recorded in the log, we want to set hostname like this for stanza [monitor:///data/asav/gw*/*gz]:

gw1new -> mailgw1
gw2new -> mailgw2
gw3new -> mailgw3

Would anyone please help?
Thanks a lot.

/ST Wong

mirkoneverstops · ‎02-03-2017

Check this inputs.conf setting:
host_segment = *integer*
Sets the segment of the path as the host, using integer to determine the segment.
For example, if host_segment = 2, host becomes the second segment of the path. Path segments are separated by the '/' character.

Source: http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Monitorfilesanddirectorieswithinputs.conf

View solution in original post

mirkoneverstops · ‎02-03-2017

Check this inputs.conf setting:
host_segment = *integer*
Sets the segment of the path as the host, using integer to determine the segment.
For example, if host_segment = 2, host becomes the second segment of the path. Path segments are separated by the '/' character.

Source: http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Monitorfilesanddirectorieswithinputs.conf

View solution in original post

stwong · ‎02-03-2017

Thanks, but we hope to do some transform based on segment 3, e.g.

/data/asav/gw1new/log.1.gz

host_rex = 3 gives gw1new. Then we hope to do something like:

echo gw1new | sed 's/(gw[0-9])new$/mail\1/g'

that gives mailgw1.

Possible to do so?
Thanks.

mirkoneverstops · ‎02-03-2017

Yes, with a transform like:

[rename_gw_hostname]
SOURCE_KEY = MetaData:Host
REGEX = host::(\w\w\d)new
FORMAT = host::mail$1
DEST_KEY = MetaData:Host

Applied with props like:
[host::gw*new]
TRANSFORMS-rename_gw_hostname = rename_gw_hostname

I didn't tested it but it should work.

stwong · ‎02-05-2017

It works! Thanks a lot for your help.