Using segment in path to eval host
I am currently bringing in a bunch of Apache logs. The sites are divided up in /var/log/httpd (eg. /var/log/httpd/site1/access.log, /var/log/httpd/site2/access.log). It would be amazing to set the base folder, the max depth, the allow list, and the host segment of the path. Is there a way to read in the path of the file to set the host field? Currently doing this in Splunk with the “host_segment” function in the inputs.conf file.
Best Answer
-
Ah, I misunderstood what source youre working with. My first response was for a Filesystem Collector, but since youre on Edge Im guessing that youre using a File Monitor source instead, correct?
The File Monitor source doesnt support path matching the same way as the Filesystem Collector does. Another way to accomplish this is to use a Pre-processing pipeline on the File Monitor, with a simple Eval pipeline like:
0
Answers
-
You can use templating in your Directory config like this:
Then, when you run the collector, youll see
site_namepopulated as a field of the event.0 -
Ah, I misunderstood what source youre working with. My first response was for a Filesystem Collector, but since youre on Edge Im guessing that youre using a File Monitor source instead, correct?
The File Monitor source doesnt support path matching the same way as the Filesystem Collector does. Another way to accomplish this is to use a Pre-processing pipeline on the File Monitor, with a simple Eval pipeline like:
0
