Getting Data In

Does the Universal Forwarder support the Splunk header

Marinus
Communicator

I recently moved to the universal forwarder (4.3.3) where I collect files using the batch input. It's a long story but I have to use the batch input. I use the SPLUNK header to set the host, source and source type. The receiving indexer performs the necessary transformations. I've noticed since I've moved to the new forwarder that the header is no longer being honoured. I changed the HEADER_MODE to always in the default etc/system/local/props.conf, however events arrive without the necessary host, source and sourcetypes.

It appears that the batch handling changed in 4.2, and is not handled as part of the indexing pipeline.

0 Karma
1 Solution

Marinus
Communicator

It appears that the batch handling changed in 4.2, and is not handled as part of the indexing pipeline. Reverted back to an old forwarder.

View solution in original post

0 Karma

Marinus
Communicator

It appears that the batch handling changed in 4.2, and is not handled as part of the indexing pipeline. Reverted back to an old forwarder.

0 Karma

dart
Splunk Employee
Splunk Employee

Hi Marinus,
I'm not sure if using the ***SPLUNK*** style is supported.
I'd suggest either using the Splunk Forwarder instead of the universal forwarder, or you could set a sourcetype in your batch input, and reference that sourcetype in the TRANSFORMS, which could fix host, source and sourcetype, and also use a SEDCMD to remove the header.

I'd say the better solution is to use a full forwarder, if that works for ***SPLUNK*** style.

dart

0 Karma

Marinus
Communicator

Hi Dart

I did a couple of tests and it doesn't appear that HEADER_MODE config affects they way it processes events 😞

0 Karma

dart
Splunk Employee
Splunk Employee

What's the sourcetype of your data?

Do you have any transforms of the data? What kind of stanza specification are you using on the indexer for these? [my_sourcetype] or [source::/path/to/file] or [host::host1]?

What are you setting on the forwarder inputs?

0 Karma

Marinus
Communicator

Thanks for the response Dart. The indexer uses a batch input to collect data.

[batch:///data]
move_policy=sinkhole
crcSalt=

The host, source and sourcetype are set by the splunk header i.e.
SPLUNK host=acme source=xyz sourcetype=abc

The indexer received the events from the forwarder and has props configured to deal with the source types, which in fact rewrite the source and host keys i.e.

[abc]
TRANSFORMS-fix=fix_a, fix_b

When I look at the events on the indexer, I can see that raw events including the SPLUNK header, with no keys set.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...