You could win up to $50,000 building Splunk apps in the Splunk>Apptitude contest. Learn more »
I have a deployment server app with a single inputs.conf file.
<code>[<a href="tcp://localhost">tcp://localhost</a>:9997] sourcetype = tcp-raw index = pp-dev </code>
A windows .NET application writes to this port with XML data. Splunk is indexing the data correctly, although the host is showing up as 127.0.0.1. I have this app deployed on about 50 hosts via the deployment server. Is there a way for the Splunk to show the hostname vs. 127.0.0.1 on the indexer?
I am looking for a way to dynamically assign the name. If I have to hardcode the name, then this defeats the benefits of the deployment server.
Great question. I doubt it's possible. The deployment process seem to be pretty limited, IMHO.
WARNING: UGLY UGLY HACK...
I guess you could do a hack with an input script...
Make sure your existing
inputs.conf is in the
default directory. Then write a simple python script to check for the existence of the
local/inputs.conf in your app. If it does not already exist, then your app should create it with the following template:
[tcp:://localhost:9997] host = <host to be dynamically filled in by script>
local/inputs.conf file is written, it should issue a
splunk restart command so that the local entry takes effect. When splunk startup up again, the script will run again, but this time since
local/inputs.conf exists, it will not make any changes or restart splunkd. (You really don't want a recursive restart loop. That would be bad, especially on 50 machines).
You would probably want to schedule this script to run like once every 31536000 seconds (every year); so that it will only effectively run once a splunkd restart.
When you redeploy your app, obviously your
local/input.conf will be wiped out. This shouldn't be a problem though because splunkd will have to restart once (oh yeah, make sure you have
restartSplunkd=true in your deployment config). So when
splunkd restarts with the newly deployed app, since
local/inputs.conf will be missing again, the file will be written and splunkd will be restarted again, but this time with your proper host entry...
Wow! That's ugly. not as bad as it could be, definitely doable, but certainly not pretty.
Do you have any python experience? I could probably whip up a prototype if you want. I know there have been times where I've wanted a feature like this before.
UPDATE... I went ahead and wrote a quick python script that should get the job done (I haven't actually tested it, so there could be issues.)
""" hack_local_inputs.py: Simple hack to write out a local/inputs.conf file for this app with a hardcoded host value. """
from subprocess import call
APP_NAME = "my_app_name"
SPLUNK_HOME = os.evniron["SPLUNK_HOME"]
HOSTNAME = socket.gethostname()
conf_file = os.path.join(SPLUNK_HOME, "etc", "apps", APP_NAME, "local", "inputs.conf")
# This is for debugging this script
print 'Nothing to do here, conf file already exists... conf="%s"' % conf_file
stream = open(conf_file, "w")
stream.write("host = %sn" % HOSTNAME)
stream.write("disabled = 0n")
# This is for debugging this script
print 'Finished Hardcoding host hack! splunk_app=%s new_host=%s conf="%s"'
% (APP_NAME, HOSTNAME, conf_file)
splunk_exe = os.path.join(SPLUNK_HOME, "bin", "splunk")
call([splunk_exe, "restart", "splunkd"])
Then, in your
default/inputs.conf add something like this:
<code>[script::$SPLUNK_HOME/etc/apps/my_app_name/bin/hack_local_inputs.py] sourcetype = hack_local_inputs interval = 31536000 </code>