I have a setup (shown in pics) in which a bunch of forwarders are sending data to Splunk. One of the forwarders has many VMs on a single physical machine.
I would like to receive data only from vm2, and not ingest logs from vm1,3 and 4. I also want to send _internal logs from this VM to the indexer.
I do not want to touch any of the other forwarder-indexer connections.
I would preferably do it on the forwarder instead of the indexer, because the indexer is already receiving logs from other forwarders.
Please guide me, what settings should I change.
I would like to route events to null queue based on the source, since the source has the vm name in its format.
source=/directory to log/hostName-vmName-TypeofLog.log
How do I do the null queue routing based on the source name?
why would you like to use null queue?
if this is the path to the file you can just specify the [monitor] stanza in inputs.conf
something like this:
[monitor://directory_to_log/hostName-vm2-TypeofLog.log] sourcetype = sourcetype index = index
this will save you from monitoring all teh logs on the forwarder and filtering on the indexer...
hope this makes sense
My requirement is specifically allows all logs except those having vm1, vm3 and vm4 in their source.
So, if source is hostnamevm1logname, hostvm3logname, hostnamevm4logname, block them.
Allow all other logs to flow through.
All internal logs, and any other logs that may get added on vm2 also needs to be allowed.
Its more a problem BLOCK a few logs and ALLOW everything else.
I would agree its better to not ingest the files if that is an option. If that is not an option, you can use source as outlined in the link I posted previously (HERE), it provides an example for source:
[source::/var/log/messages] TRANSFORMS-null= setnull