How can you create a "host" by the file name being indexed? Im looking to index my firewall configuration files, and currently the snapshots are saved with the firewalls hostname. Clear as mud?
You can look at the host_segment
and host_regex
settings that can be used with the file monitor
stanzas in inputs.conf, to extract the source host from the file path.
FYI, and as a supplemental to the above answer, I keep my files in the following directory:
/var/splunk/input/mms_logs/
The filename structure is:
mms_HOST-IP-ADDRESS_TIMESTAMP.log
examples:
mms_10.152.58.100_20110101_004000_06137.log
mms_10.152.58.194_20110121_120000_70656.log
Now to extract the IP address portion of filename as a host, I used the following regex:
/var/splunk/input/mms_logs/mms_(\d+.\d+.\d+.\d+)_\d+
Voila! From the above examples I know have two hosts (10.152.58.100 & 10.152.58.194), along with all of the events that are hosted within the files 🙂
Hope this helps someone!
You can look at the host_segment
and host_regex
settings that can be used with the file monitor
stanzas in inputs.conf, to extract the source host from the file path.
Your the man!!!