Refine your search:

1
5

I have a deployment server app with a single inputs.conf file.

[tcp://localhost:9997]
sourcetype = tcp-raw
index = pp-dev

A windows .NET application writes to this port with XML data. Splunk is indexing the data correctly, although the host is showing up as 127.0.0.1. I have this app deployed on about 50 hosts via the deployment server. Is there a way for the Splunk to show the hostname vs. 127.0.0.1 on the indexer?

I am looking for a way to dynamically assign the name. If I have to hardcode the name, then this defeats the benefits of the deployment server.

asked 14 May '10, 22:04

Jaci's gravatar image

Jaci ♦
9228835
accept rate: 75%

edited 03 Feb '11, 15:08

Lowell's gravatar image

Lowell ♦
12.4k2422113


One Answer:

Great question. I doubt it's possible. The deployment process seem to be pretty limited, IMHO.

WARNING: UGLY UGLY HACK...

I guess you could do a hack with an input script...

Make sure your existing inputs.conf is in the default directory. Then write a simple python script to check for the existence of the local/inputs.conf in your app. If it does not already exist, then your app should create it with the following template:

[tcp:://localhost:9997]
host = <host to be dynamically filled in by script>

After the local/inputs.conf file is written, it should issue a splunk restart command so that the local entry takes effect. When splunk startup up again, the script will run again, but this time since local/inputs.conf exists, it will not make any changes or restart splunkd. (You really don't want a recursive restart loop. That would be bad, especially on 50 machines).

You would probably want to schedule this script to run like once every 31536000 seconds (every year); so that it will only effectively run once a splunkd restart.

When you redeploy your app, obviously your local/input.conf will be wiped out. This shouldn't be a problem though because splunkd will have to restart once (oh yeah, make sure you have restartSplunkd=true in your deployment config). So when splunkd restarts with the newly deployed app, since local/inputs.conf will be missing again, the file will be written and splunkd will be restarted again, but this time with your proper host entry...

Wow! That's ugly. not as bad as it could be, definitely doable, but certainly not pretty.

Do you have any python experience? I could probably whip up a prototype if you want. I know there have been times where I've wanted a feature like this before.


UPDATE... I went ahead and wrote a quick python script that should get the job done (I haven't actually tested it, so there could be issues.)

""" hack_local_inputs.py:  Simple hack to write out a local/inputs.conf file
for this app with a hardcoded host value.
"""

import os
import socket
from subprocess import call

APP_NAME = "my_app_name"
SPLUNK_HOME = os.evniron["SPLUNK_HOME"]
HOSTNAME = socket.gethostname()

conf_file = os.path.join(SPLUNK_HOME, "etc", "apps", APP_NAME, "local", "inputs.conf")

if os.path.exists(conf_file):
    # This is for debugging this script
    print 'Nothing to do here, conf file already exists...  conf="%s"' % conf_file
else:
    stream = open(conf_file, "w")
    stream.write("[tcp:://localhost:9997]\n")
    stream.write("host = %s\n" % HOSTNAME)
    stream.write("disabled = 0\n")
    stream.close()
    # This is for debugging this script
    print 'Finished Hardcoding host hack!  splunk_app=%s new_host=%s conf="%s"' \
            % (APP_NAME, HOSTNAME, conf_file)
    splunk_exe = os.path.join(SPLUNK_HOME, "bin", "splunk")
    call([splunk_exe, "restart", "splunkd"])

Then, in your default/inputs.conf add something like this:

default0
link

answered 14 May '10, 22:36

Lowell's gravatar image

Lowell ♦
12.4k2422113
accept rate: 41%

edited 14 May '10, 22:55

Thank you for the answer and the python script.

(24 May '10, 20:58) Jaci ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×222
×171

Asked: 14 May '10, 22:04

Seen: 1,537 times

Last updated: 03 Feb '11, 15:08

Copyright © 2005-2014 Splunk Inc. All rights reserved.