Spread our blog

Usage Of host_segment Attribute In inputs.conf

“Host_segment” is the attribute used in inputs.conf to define host name from the path mentioned in the monitor stanza.
Syntax:

host_segment = <integer>

If <integer> is N , Splunk treats the Nth “/” ( for windows “\” ) -separated segment of the path mentioned in the monitor stanza of inputs.conf as ‘host’.
For example, if host_segment=3, the third segment will be treated as “host”.
If the value is not an integer or is less than 1 or not mentioned, then the default ‘host’ setting will be applied.
Let’s take an example suppose we want to ingest data into splunk from a path “/tmp” and there are three folder named as host_one, host_two and host_three and in each and every folder we have some text file and we want to ingest all text files into Splunk. Now we want to define those host_one, host_two and host_three as host names of those text files.


I hope you have understood the concept so let’s start.
So go the following path and open inputs.conf

$SPLUNK_HOME\etc\system\local

And within the inputs.conf, write.

[monitor:///tmp/host*/*.txt]
host_segment = 2
index = test_index
sourcetype = host_segment

Now save it and restart your Splunk server by going to the $SPLUNK_HOME\bin.


Now go to the GUI of your search head and search that index for the data you have just ingested.
Log in to Splunk with your credentials.


And search.

index=test_index
sourcetype=host_segment

Result:


Explanation:
Here we have mentioned host_segment = 2 that’s why it took 2nd “/” separated segment of the given path from monitor stanza which is “host*” (i.e. host_one, host_two and host_three).
I hope you all have understood this tricky but simple concept of “Usage Of host_segment Attribute In inputs.conf”.

Happy Splunking !!!

You can also know about :  How To Index The Last Line Of A Log File In Splunk
What’s your Reaction?
+1
+1
+1
+1
+1
+1
+1

Spread our blog

LEAVE A REPLY

Please enter your comment!
Please enter your name here