Hi :
I have a monitoring stanza which splunk process is monitoring logs from:
/var/log/hosts//Tue/-2017050209
This is what I have defined in inputs.conf:
[monitor:///var/log/hosts/56.*/.../(\d+).(\d+).(\d+).(\d+)-(\d+)]
host_segment = 4
sourcetype = syslog
index = networkperimeter_firewalls
source = ASA-casyslog1_server
blacklist = .(gz|bz2|z|zip)$
ignoreOlderThan = 1d
crcSalt =
But while checking the logs on Splunk Search Head, the host value shows the host where the UF is installed, it is not monitoring the host from host_segment value, is there something I am missing, or doing incorrect.
Your inputs are highly appreciated.
I feel , the reason is because you have mentioned sourcetype as "syslog" and it will use the inbuilt syslog-host transform
Can you just try
[monitor:///var/log/hosts/56.*/.../(\d+).(\d+).(\d+).(\d+)-(\d+)]
host_segment = 4
sourcetype = mydummy
index = networkperimeter_firewalls
source = ASA-casyslog1_server
blacklist = .(gz|bz2|z|zip)$
ignoreOlderThan = 1d
if This is successful, we will then think of how to override the sourcetype to use host_segment
What part of that directory is the hostname?
So did you delete the hostname? So is it this?
/var/log/hosts/HOSTNAME/Tue/-2017050209
Have you tried this:
[monitor:///var/log/hosts/*/.../(\d+).(\d+).(\d+).(\d+)-(\d+)]
host_segment = 4
4th segment
It should work. This will only update the host for events coming from this monitor stanza, unless some setting is overriding it again at heavy forwarder/indexer level.