Usage Of host_segment Attribute In inputs.conf

Usage Of host_segment Attribute In inputs.conf

“Host_segment” is the attribute used in inputs.conf to define host name from the path mentioned in the monitor stanza.
Syntax:

host_segment = <integer>

If <integer> is N , Splunk treats the Nth “/” ( for windows “\” ) -separated segment of the path mentioned in the monitor stanza of inputs.conf as ‘host’.
For example, if host_segment=3, the third segment will be treated as “host”.
If the value is not an integer or is less than 1 or not mentioned, then the default ‘host’ setting will be applied.
Let’s take an example suppose we want to ingest data into splunk from a path “/tmp” and there are three folder named as host_one, host_two and host_three and in each and every folder we have some text file and we want to ingest all text files into Splunk. Now we want to define those host_one, host_two and host_three as host names of those text files.


I hope you have understood the concept so let’s start.
So go the following path and open inputs.conf

$SPLUNK_HOME\etc\system\local

And within the inputs.conf, write.

[monitor:///tmp/host*/*.txt]
host_segment = 2
index = test_index
sourcetype = host_segment

Now save it and restart your Splunk server by going to the $SPLUNK_HOME\bin.


Now go to the GUI of your search head and search that index for the data you have just ingested.
Log in to Splunk with your credentials.

You can also know about :  HTTP Event Collector(HEC) in Splunk


And search.

index=test_index
sourcetype=host_segment

Result:


Explanation:
Here we have mentioned host_segment = 2 that’s why it took 2nd “/” separated segment of the given path from monitor stanza which is “host*” (i.e. host_one, host_two and host_three).
I hope you all have understood this tricky but simple concept of “Usage Of host_segment Attribute In inputs.conf”.

Happy Splunking !!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.