Usage Of host_segment Attribute In inputs.conf
“Host_segment” is the attribute used in inputs.conf to define host name from the path mentioned in the monitor stanza.
Syntax:
host_segment = <integer>
If <integer> is N , Splunk treats the Nth “/” ( for windows “\” ) -separated segment of the path mentioned in the monitor stanza of inputs.conf as ‘host’.
For example, if host_segment=3, the third segment will be treated as “host”.
If the value is not an integer or is less than 1 or not mentioned, then the default ‘host’ setting will be applied.
Let’s take an example suppose we want to ingest data into splunk from a path “/tmp” and there are three folder named as host_one, host_two and host_three and in each and every folder we have some text file and we want to ingest all text files into Splunk. Now we want to define those host_one, host_two and host_three as host names of those text files.
I hope you have understood the concept so let’s start.
So go the following path and open inputs.conf
$SPLUNK_HOME\etc\system\local
And within the inputs.conf, write.
[monitor:///tmp/host*/*.txt] host_segment = 2 index = test_index sourcetype = host_segment
Now save it and restart your Splunk server by going to the $SPLUNK_HOME\bin.
Now go to the GUI of your search head and search that index for the data you have just ingested.
Log in to Splunk with your credentials.
And search.
index=test_index sourcetype=host_segment
Result:
Explanation:
Here we have mentioned host_segment = 2 that’s why it took 2nd “/” separated segment of the given path from monitor stanza which is “host*” (i.e. host_one, host_two and host_three).
I hope you all have understood this tricky but simple concept of “Usage Of host_segment Attribute In inputs.conf”.
Happy Splunking !!!