Hi guys,
Is it possible to limit a splunk receiver via host wildcard.
So curently I have in inputs.conf
[splunktcp://9997]
I want to limit this strictly to various hosts only: So I can do this in inputs.conf:
[splunktcp//:lin01:9997]
[splunktcp//:lin02:9997]
[splunktcp//:lin03:9997]
How is it now possible to limit this via a wildcard, ie. only receive allow receive for hostnames begining with (whitelist) 'lin' (linux in my case) and not recieve data from a host called 'win01'?
Is this possible?
Thanks..
Judging from experience and (most importantly) from the inputs.conf.spec file, I don't believe that wildcards are accepted here.
An easy way to test this would be to attempt to set this up with a wildcard, up the log level of the TcpInputProc
channel to DEBUG in $SPLUNK_HOME/etc/log.cfg
and see what turns up in splunkd.log when you restart splunkd and the input is set up.