The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: Unique Keys In Inputs.conf

Previous Topic: Basic Questions  |   Next Topic: Splunk backup of indexes


Posts 1–5 of 5
1
posted by: h1d3m3  |  posts
date: November 17, 2009
permalink

Is there anyway to add a completely unique key into each monitor entry? For example we have:

[monitor:/opt/edesign/glassfish/nodeagents/webg_agent/webg-w3/logs]

[monitor:/opt/edesign/glassfish/nodeagents/webg_agent/webg-w4/logs]

The host for these is webg which is not specific enough and the source is something like "/opt/edesign/glassfish/nodeagents/webg_agent/webg-w4/logs.server.log" which is not good on graphs. I was hoping to do something like:

[monitor:/opt/edesign/glassfish/nodeagents/webg_agent/webg-w3/logs]
instance=webg-w3

[monitor:/opt/edesign/glassfish/nodeagents/webg_agent/webg-w4/logs]
instance=webg-w4.

and be able to use "instance" in the search....I was also hoping to keep source and host the way it is (they're useful in their own way).

Thanks for any pointers (or other ways to tackle this).

2
posted by: gkanapathy  |  posts
date: November 17, 2009
permalink

Yes:

props.conf:

[mylogsourcetype]
REPORT-inst = instancename-from-source

transforms.conf:

[instancename-from-source]
SOURCE-KEY = source
REGEX = ^/opt/edesign/glassfish/nodeagents/webg_agent/(?<instance>[^\/]+)/logs

where mylogsourcetype is the sourcetype of your log files. (the rule is only applied to items with that sourcetype.)

3
posted by: h1d3m3  |  posts
date: November 17, 2009
permalink

Excellent thanks. I'll try this out.

We're using light forwarders which sends data to a central server. Do these changes happen on the forwarders or centrally?

REPORT-inst is the "key" that can be used in the search? Or does that come from the ?<instance> regex? (it looks like REPORT-inst is just a placeholder maybe).

4
posted by: gkanapathy  |  posts
date: November 17, 2009
permalink

your field (or "key") is "instance". This needs to be set on your search server, not the forwarders, it is set based on the source at query time.

5
posted by: h1d3m3  |  posts
date: November 18, 2009
permalink

This worked like a charm. Powerful stuff....thanks.

FYI, I had to change the transforms.conf entry you cited to SOURCE_KEY (note the underscore, not the dash) http://www.splunk.com/base/Documentation/4.0.4/admin/transformsconf