Knowledge Management

Unable to recognize hostname from source

splunklearner12
Path Finder

My data consists of a hierarchical zip file. Although the hostname is always located in the fifth and last segment of the path, entering 5 at index time for "Segment in path" did not work. Instead, the host is always displayed as 127.0.0.1.
For reference, the source path looks similar to this: files.zip:./files/dir/logs/hostname
I have also tried many other numbers, including -1 in the hope that it could count backwards.
Even when uploading one single log file which just has the hostname as the filename, and entering segment in path = 1, the hostname was not recognised.
I don't have access to edit props.conf, transforms.conf etc., so it would need to work from the web interface.

Tags (1)
0 Karma
1 Solution

splunklearner12
Path Finder

I have found a workaround by creating a field transformation with the below regex, and a corresponding field extraction.
files.zip:./files/.*/.*/(?&lthostname&gt[\w-]*)
Then, created an alias for hostname AS host, i.e. overwriting field values.
It's not ideal because now the search for the host is doubled up in two fields, so I'm still interested if there's a solution for the segment in path method at index time.
- Sorry for all the edits, I had to figure out how to display &lt, &gt and *

View solution in original post

splunklearner12
Path Finder

I have found a workaround by creating a field transformation with the below regex, and a corresponding field extraction.
files.zip:./files/.*/.*/(?&lthostname&gt[\w-]*)
Then, created an alias for hostname AS host, i.e. overwriting field values.
It's not ideal because now the search for the host is doubled up in two fields, so I'm still interested if there's a solution for the segment in path method at index time.
- Sorry for all the edits, I had to figure out how to display &lt, &gt and *

uhaq
Explorer

Are you working on an all-in-one Splunk instance or a distributed environment?

I would also check my inputs.conf to see if a host=127.0.0.1 parameter was also defined for the path you want to monitor.

0 Karma

splunklearner12
Path Finder

Yes, it's single instance.
There was a line saying host=splunk in local/inputs.conf which I deleted and then restarted splunk, but it made no difference. I found in the web app server settings > general settings that a default host was set to splunk, which I deleted and then restarted, but after restarting the setting just reappeared. The segment in path still doesn't work.

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...