Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to send host grouping information from a forwarder?

d044160
Explorer
‎01-15-2015 09:46 AM

In an inputs.conf I can define a forwarder's host field which I can use in searches. Identifying a single host is not always enough, e.g., we have build servers, source code management servers, filers etc. to monitor - a kind of grouping would come in handy in order to limit searches to a certain group of hosts. We could do that by maintaining lists and using them as look-ups, but I was wondering whether there's the possibility to achieve that on the forwarder with just configuration. Example:

inputs.conf on host A:



host=hosta

group=build_servers

inputs.conf on host B:


host=hostb

group=git_servers

I want to be able to search for something like 

search host=* group="build_servers" sourcetype="df" ... | ...

Is there a way to do this?

0 Karma
Reply

srioux
Communicator
‎01-15-2015 12:40 PM

Splunk records pretty limited information per-event; your best bet would be to either have a lookup field (which you mentioned may not work), filters as a set of macros or eventtypes (again, based on static info), or to have it built-in to one of the default metadata-scraped fields:

  • Have it built-in to the "host" field (ex: have domain portions of the FQDN identify grouping)
  • Have it built-in to the "source" field (ex: prefix/suffix source value with a tag - I've seen this done where we had "grouping" built-in to the directories of the log files we were scraping)
  • Have it built-in to the "sourcetype" field (entirely dependent on your environment, but I'd generally prefer to have slightly broader sourcetypes)
0 Karma
Reply

d044160
Explorer
‎01-16-2015 06:52 AM

I almost suspected that. Thanks for summarizing my options ... "host" and "source" won't work because those are outside my jurisdiction (I don't own the monitorees) and I agree, abusing "sourcetype" for that purpose would harm "sourcetype" as a more or less well-known concept in my Splunk deployment.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...