- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- setup.xml - Getting TCP Data In
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
setup.xml - Getting TCP Data In
Hi all,
I may have overlooked this or not understood the documentation but I'm trying to create a set-up page where the user has to specify the IP address of the TCP source.
For example, my inputs.conf will need to look something like this after the use has entered their information:
[tcp://123.55.255.255:8001]
connection_host = dns
index = index_name
sourcetype = syslog
I was hoping someone could please point me in the right direction in terms of setting this up?
Thanks for your help!
Dan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @danfinan,
you don't need to create a setup form, because in the Input section of the Settings you can find al the features to do what you want (for more infos, see at https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Getstartedwithgettingdatain ).
But the question is what are your architecture and requirements?
Because, if you have an All-in-one server you can do all from your server, but if you have a distributed architecture or an HA architecture, you have different roles for the inputs:
- if you have Universal Forwarders, they are managed using a Deployment Server ( see at https://docs.splunk.com/Documentation/Splunk/8.0.0/Updating/Aboutdeploymentserver );
- if you have network inputs (syslogs on TCP or UDP) or HEC, you should use one (or two in HA) Heavy Forwarders (https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input or https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Monitornetworkports ).
In other words, you have to better define the perimeter of your monitoring and the requirements of your architecture, then you can analyze each flow and identify the way to ingest.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe,
Apologies, my question was a little vague!
I'm trying to create a small application that contains a few dashboards for a particular product. When the user installs my app, I need them to be able to specify the IP address of the product so that the inputs.conf file is configured to take data in.
Thanks 🙂
Dan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dan,
if you're speaking about a form on your app, you don't need it if you know the location of the logs of this app, because you can configure your Forwarders to take logs from this app and then have hostname and IP from the Universal forwatrder.
In othe words, if you already know the list of the systems where this app will be installed you can create a dedicated ServerClass to take these logs and when you'll have them in you Splunk you'll be able to extract Hostname from the host field and IP from a lookup of your Monitoring Console or using the dnslookup.
If instead you cannot know before the target list, you can deploy the stanza to take this app's logs in all the Universal Forwarders and then create your installation list as the previous case.
The search to run is something like this
index=your-index
| dedup host
| lookup dnslookup clienthost AS host OUTPUT clientip
| table host clientip
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe,
Thanks for your reply, although I think my objective hasn't come across correctly. I need the setup page because the person installing my app will be a Splunk novice and will not know how to configure Splunk properly - I'm trying to make the process as easy as possible.
For example, Me (Dan) and the User have the same firewall product. At my office I can configure Splunk to ingest the syslog data on let's say 192.168.12.20:514 but at the User's office, his firewall is on 172.16.35.10. I would like for him to be able to fill in in his IP address on the setup page and see the inputs.conf file on HIS splunk install configured to use 172.16.35.10.
Bets wishes,
Dan,.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dan,
if you're speaking about the Universal Forwarder to install on the target system, you need only of a good documentation about the installation procedure and the people must have the grants to install it (usually these jobs are only for administrators!).
if you're speaking of a Tecnical-Addon (TA) to deploy on the target system, you don't need anything because TAs are usually deployed using the Deployment Server and the user hasn't any intervene to perform on the system.
If you're speaking of a User App to install on Splunk (not on Universal Forwarder), I don't think that it's a good idea leave the user to do this (usually these jobs are only for administrators!).
If you're speaking about syslogs ingestion, I think that the best approach is to plan this intervene, designing the flows and opening the routes: usually syslogs are ingested by two Splunk Heavy Forwarders with a Load Balancer to be sure that all the syslogs are captured (usually these jobs are only for administrators!).
Ciao.
Giuseppe
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
