Getting Data In

How can I set host for TCP input to deploy client machine?

juniormint
Communicator

I'm using the configuration deployment server to manage a bunch of forwarders. One of the apps that they get has inputs.conf with a stanza like this

[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource

I would like to do something to override the host to the forwarder machine address, but don't know if its possible. How would do this? Seems like it should be accessible since its effectively a constant.

[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = THISMACHINE

Tags (3)
0 Karma
1 Solution

juniormint
Communicator

The problem is that connections from the same machine (localhost) would not appear as the hostname from dns. It happens to be the case that all connections to this input are from localhost, so the following is an acceptable solution.

[tcp://12345]
connection_host = none # you need this
sourcetype = log4j
source = mysource
host = $decideOnStartup # and this

View solution in original post

0 Karma

juniormint
Communicator

The problem is that connections from the same machine (localhost) would not appear as the hostname from dns. It happens to be the case that all connections to this input are from localhost, so the following is an acceptable solution.

[tcp://12345]
connection_host = none # you need this
sourcetype = log4j
source = mysource
host = $decideOnStartup # and this

0 Karma

grijhwani
Motivator

You should not need to. Splunk relies on being able to determine the hostname from the inherent network configuration. It is a static part of the local machine configuration, not part of the generic app. At worst you could create local configs for each forwarder at install time (in $SPLUNK_HOME/etc/system/local) which in the absence of anything else will be taken as static value.

The Splunk configuration model is layered, allowing application configurations to override specific static default and static local configuration elements. Deployed configurations should only contain those elements which are generic and dynamic.

The Splunk deployment I manage used to have a lot more forwarder endpoints than it does now, relying as it did on cluster deployments. The hostname was never a factor.

grijhwani
Motivator

The "forwarder" is the client forwarding logs to the indexer. Ordinarily this will be the initial source agent. Are you saying that in your case you have your generating source talking to an intermediate forwarder, which then passes logs on to the indexer, and it is this intermediary that you want recorded in the index as the source? If that is the case, you are talking about using "transforms" on the intermediary.

0 Karma

jtacy
Builder

Sounds like this should do it:
[tcp://12345]
connection_host = none
sourcetype = log4j
source = mysource

0 Karma

juniormint
Communicator

Seems like this is what I am seeking
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsc

host =

  • If set to '$decideOnStartup', will be interpreted as hostname of executing machine; such interpretation will occur on each splunkd startup. This is the default.
0 Karma

juniormint
Communicator

I am not quite following. My guess is that that what I have above in my app will use the host data of what is connecting to the TCP input. What I want is to override and use the hostname of the forwarder.

I get that I can do the following and the host field will be set to "THISMACHINE" but what I want is something like host = %HOSTNAME%. Is is possible to do this?

[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = THISMACHINE

0 Karma

juniormint
Communicator

forgot to mention these are windows machines

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...