Refine your search:


I have a deployment server app with a single inputs.conf file.

sourcetype = tcp-raw
index = pp-dev

A windows .NET application writes to this port with XML data. Splunk is indexing the data correctly, although the host is showing up as I have this app deployed on about 50 hosts via the deployment server. Is there a way for the Splunk to show the hostname vs. on the indexer?

I am looking for a way to dynamically assign the name. If I have to hardcode the name, then this defeats the benefits of the deployment server.

asked 14 May '10, 22:04

Jaci's gravatar image

Jaci ♦
accept rate: 75%

edited 03 Feb '11, 15:08

Lowell's gravatar image

Lowell ♦

One Answer:

Great question. I doubt it's possible. The deployment process seem to be pretty limited, IMHO.


I guess you could do a hack with an input script...

Make sure your existing inputs.conf is in the default directory. Then write a simple python script to check for the existence of the local/inputs.conf in your app. If it does not already exist, then your app should create it with the following template:

host = <host to be dynamically filled in by script>

After the local/inputs.conf file is written, it should issue a splunk restart command so that the local entry takes effect. When splunk startup up again, the script will run again, but this time since local/inputs.conf exists, it will not make any changes or restart splunkd. (You really don't want a recursive restart loop. That would be bad, especially on 50 machines).

You would probably want to schedule this script to run like once every 31536000 seconds (every year); so that it will only effectively run once a splunkd restart.

When you redeploy your app, obviously your local/input.conf will be wiped out. This shouldn't be a problem though because splunkd will have to restart once (oh yeah, make sure you have restartSplunkd=true in your deployment config). So when splunkd restarts with the newly deployed app, since local/inputs.conf will be missing again, the file will be written and splunkd will be restarted again, but this time with your proper host entry...

Wow! That's ugly. not as bad as it could be, definitely doable, but certainly not pretty.

Do you have any python experience? I could probably whip up a prototype if you want. I know there have been times where I've wanted a feature like this before.

UPDATE... I went ahead and wrote a quick python script that should get the job done (I haven't actually tested it, so there could be issues.)

"""  Simple hack to write out a local/inputs.conf file
for this app with a hardcoded host value.

import os
import socket
from subprocess import call

APP_NAME = "my_app_name"
HOSTNAME = socket.gethostname()

conf_file = os.path.join(SPLUNK_HOME, "etc", "apps", APP_NAME, "local", "inputs.conf")

if os.path.exists(conf_file):
    # This is for debugging this script
    print 'Nothing to do here, conf file already exists...  conf="%s"' % conf_file
    stream = open(conf_file, "w")
    stream.write("host = %s\n" % HOSTNAME)
    stream.write("disabled = 0\n")
    # This is for debugging this script
    print 'Finished Hardcoding host hack!  splunk_app=%s new_host=%s conf="%s"' \
            % (APP_NAME, HOSTNAME, conf_file)
    splunk_exe = os.path.join(SPLUNK_HOME, "bin", "splunk")
    call([splunk_exe, "restart", "splunkd"])

Then, in your default/inputs.conf add something like this:


answered 14 May '10, 22:36

Lowell's gravatar image

Lowell ♦
accept rate: 41%

edited 14 May '10, 22:55

Thank you for the answer and the python script.

(24 May '10, 20:58) Jaci ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions



Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 14 May '10, 22:04

Seen: 1,641 times

Last updated: 03 Feb '11, 15:08

Copyright © 2005-2014 Splunk Inc. All rights reserved.