Getting Data In

wildcard in inputs.conf splunktcp stanza?

mark
Path Finder

Hi guys,

Is it possible to limit a splunk receiver via host wildcard.

So curently I have in inputs.conf
[splunktcp://9997]

I want to limit this strictly to various hosts only: So I can do this in inputs.conf:
[splunktcp//:lin01:9997]
[splunktcp//:lin02:9997]
[splunktcp//:lin03:9997]

How is it now possible to limit this via a wildcard, ie. only receive allow receive for hostnames begining with (whitelist) 'lin' (linux in my case) and not recieve data from a host called 'win01'?

Is this possible?

Thanks..

hexx
Splunk Employee
Splunk Employee

Judging from experience and (most importantly) from the inputs.conf.spec file, I don't believe that wildcards are accepted here.

An easy way to test this would be to attempt to set this up with a wildcard, up the log level of the TcpInputProc channel to DEBUG in $SPLUNK_HOME/etc/log.cfg and see what turns up in splunkd.log when you restart splunkd and the input is set up.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...