Solved: Re: add oneshot with host segment

melonman · ‎09-28-2010

Hi there,

I need to re-index some data. In inputs.conf, host_segment parameter is configured as follows:

host_segment = 3

And I issued the following add oneshot command after deleting indexes using "| delete" command:

splunk add oneshot "/path/to/host1/file" -index myidx -sourcetype mytype
splunk add oneshot "/path/to/host2/file" -index myidx -sourcetype mytype
splunk add oneshot "/path/to/host3/file" -index myidx -sourcetype mytype

However, I got the following result:

splunk search '* | top host'

host    count    percent
------ ------ ----------
myhost      5 100.000000

myhost is hostname of splunk server. I expected host1, host2 and host3 in the result.

Could anyone help me retrieve host value using host_segment?

Thanks!

gkanapathy · ‎09-28-2010

Seems to me if you're putting this in a script and you have the source or file name, it should not be that hard to get the correct host value and that as the argument to the -host option, e.g.

for fn in `cat filelist.txt` ; do
  h=`echo $i | awk -F/ '{print $4}'`
  oneshot $i -host $h -index myidx -sourcetype mytype
done

View solution in original post

gkanapathy · ‎09-28-2010

Seems to me if you're putting this in a script and you have the source or file name, it should not be that hard to get the correct host value and that as the argument to the -host option, e.g.

for fn in `cat filelist.txt` ; do
  h=`echo $i | awk -F/ '{print $4}'`
  oneshot $i -host $h -index myidx -sourcetype mytype
done

Masa · ‎10-02-2010

Yes, we support -host_segment option. We just need to add it in our doc and command help.

melonman · ‎09-30-2010

Quick confirmation, do you know if using add oneshot with -host_segment option is supported operation by splunk?

gkanapathy · ‎09-29-2010

This doesn't seem to have anything to do with host_segment

melonman · ‎09-29-2010

After deleting and reindexing the same file, it takes some time to get the reindexed data to show up in the search result. Target file contains about 10 lines, and the number of them is 5.

gkanapathy · ‎09-28-2010

What do you mean by "right result"? how big are the files? how many are there?

melonman · ‎09-28-2010

yes, you are right. However, even with -host, it takes about 10 minutes to get the right result. Is it expected behavior? I thought data was indexed right after oneshot command issued.

melonman · ‎09-28-2010

I issued the following,

splunk add oneshot "/path/to/host1/file" -index myidx -sourcetype mytype -host_segment 3

I didn't get the result immediately, but I could get correct result after 5 or 6 minutes. Is this expected behaivior?
I would appreciate if anyone could also comment on this.

add oneshot with host segment

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?

add oneshot with host segment

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...