Inputs.conf - use a variable

sbridge · ‎07-25-2018

Hello all. I have a bunch of *nix machines which all mount the same shared file server location to write their logs (/mnt/logs for example). For various (mostly political) reasons, it will be very difficult for me to run a UF on the back-end fileserver, so I need to run a forwarder on each server, and only grab the logs for that one server. All the machines have a directory under the common share which matches the hostname of the machine (/mnt/logs/shorthostname). I could, of course, script the creation of inputs.conf on every machine, but it would be difficult to manage - I don't see how I could push a new inputs.conf from the DS.
Two questions:
1.) Is there any way to use a variable inside a monitor stanza that will contain the short hostname?
2.) Is there something similar to host_segment that I could use to set the sourcetype from the log path?

thank you,
-S

sudosplunk · ‎07-25-2018

Hello sbridge,

For managing inputs.conf, you can install an UF on the one server where logs from all your other servers are stored (/mnt/logs/shorthostname) and then manage it with DS.

Your other two questions:

Yes. You can use host_segement to in your monitor stanza to capture hostnames from file path.
Sourcetypes can be defined freely in inputs.conf with whatever name you want. You don't need a configuration setting to set sourcetype.

This is how your inputs.conf looks like:

[monitor:///mnt/logs/shorthostname1]
host_segment = 3
sourcetype = any_sourcetype_name_you_like

[monitor:///mnt/logs/shorthostname2]
host_segment = 3
sourcetype = any_sourcetype_name_you_like

Inputs.conf - use a variable

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!