We have updated our Terms of Service, Code of Conduct, and Addendum.

Using segment in path to eval host

I am currently bringing in a bunch of Apache logs. The sites are divided up in /var/log/httpd (eg. /var/log/httpd/site1/access.log, /var/log/httpd/site2/access.log). It would be amazing to set the base folder, the max depth, the allow list, and the host segment of the path. Is there a way to read in the path of the file to set the host field? Currently doing this in Splunk with the “host_segment” function in the inputs.conf file.

Best Answer

  • Anson VanDoren
    Anson VanDoren Posts: 17 ✭✭
    edited July 2023 Answer ✓

    Ah, I misunderstood what source youre working with. My first response was for a Filesystem Collector, but since youre on Edge Im guessing that youre using a File Monitor source instead, correct?

    The File Monitor source doesnt support path matching the same way as the Filesystem Collector does. Another way to accomplish this is to use a Pre-processing pipeline on the File Monitor, with a simple Eval pipeline like:

Answers

  • Anson VanDoren
    Anson VanDoren Posts: 17 ✭✭
    edited July 2023

    You can use templating in your Directory config like this:

    Then, when you run the collector, youll see site_name populated as a field of the event.

  • Anson VanDoren
    Anson VanDoren Posts: 17 ✭✭
    edited July 2023 Answer ✓

    Ah, I misunderstood what source youre working with. My first response was for a Filesystem Collector, but since youre on Edge Im guessing that youre using a File Monitor source instead, correct?

    The File Monitor source doesnt support path matching the same way as the Filesystem Collector does. Another way to accomplish this is to use a Pre-processing pipeline on the File Monitor, with a simple Eval pipeline like: