- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How would you manipulate the host name at index ti...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would you manipulate the host name at index time based on serverclass?
What would a props/transform look like on an indexer that would append to the hostname field at index time based on the serverclass of the forwarder sending events?
If we are launching different serverclasses into specific interfaces, then setting the regex in the serverclass to mark those as "web servers" to push out deployment apps etc. What is the best practice if you don't want to actively manipulate the inputs host = stanza on the forwarders, to basically add a string in front of the auto reported IP for the host name that the forwarder assigns at index time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to play around with server.conf:
I am pretty sure that if you deploy this setting BEFORE you start splunk the first time, it will initialize the way that you are asking:
serverName=web-$COMPUTERNAME
In any case, you can DEFINITELY edit the setting post-install in $SPLUNK_HOME/etc/system/local/server.conf and set it there and everything that that host sends in will be updated for all events (even the internal index=_* ones).
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you really mean serverclass in your question? This is a highly unusual (and really impossible) request, at least if taken literally. If what you mean is to create a series of deployment apps, each of which maps to a specific serverclass, and each of which has a particular hostname override, then this is very doable and there is a ton of documentation on each of the 2 steps. Which step is giving you trouble?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was overthinking it I believe, however I am a little confused over the last step.
Basically let the forwarder auto assign the hostname, which in our case would be the IP
It then phones home, where the deployment server maps its serverclass and pushes the assigned apps out.
In the inputs of those assigned apps we just set the host name.
If the auto assigned for example is 10.2.5.120, how would you go about creating a stanza that basically did this in the inputs sent out to that forwarder?
[default]
host = web-<auto assigned host>
for a host set in splunk for events coming from that server as host = web-10.2.5.120
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
