All Apps and Add-ons

Syncsort Ironstream: Why does the TCP stream need no destination index configured?

marrette
Path Finder

We've configured our Splunk instance to receive data via TCP stream from the Syncsort Ironstream forwarder installed on a mainframe. What's strange with this setup is that the inputs.conf file does not specify an index, somehow it is specified in Ironstream on the mainframe because the data arrives it automatically goes into that, non-default, index.

The inputs.conf file looks like this:

[tcp://9998]
connection_host = dns
sourcetype = json

Yet when the data is received Splunk know's to put it into the 'Mainframe' index. How is this happening? Is there some sort of 'meta' data the wraps the data on the way in that Splunk uses to determine the index?

0 Karma

ianhss
Explorer

Hi marrette,

I am happy to help and glad to hear you are using Ironstream successfully.

Yes, there is metadata involved. Bottom line, this is legitimate and has no impact or overhead on your indexing. The metadata, at least for target index, is not indexed. But this is Splunk internals, hence I am not at liberty to reveal the full workings.

But if you put on your lateral thinking hat and use a wire tracing tool (such as one of our own Syncsort ZEN Suite components) you will be able to see what is being sent.

Happy [mainframe] Splunking!

0 Karma

ianhss
Explorer

Hi marrette. No magic, all legitimate Splunk use.

Splunk can use meta data for specifying the receiving index. This can be specified in the Ironstream mainframe configuration. The value will be used as a data destination, unless it is overridden in Splunk. Failing that, Splunk will send the data to the default index.

Are you a licensed customer or using our free Starter Edition? If a licensed customer, and you have further questions, our Support Team will be very happy to help. Please feel free contact them via our MySypport site.

marrette
Path Finder

Hi Ianhas,
Thanks for the quick reply. We are indeed using the licensed version of Ironstream and it is all working fine.

I'm really just asking this question academically as I always thought that when Splunk is configured to receive data from a TCP stream you'd see everything in Splunk - but it sounds like there is some 'metadata' being sent with the stream that is understood by Splunk but not indexed? What is this data, and how is it sent to Splunk (is it in the packet header for example)?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.