Solved: Fetching of Hostname of Ansible servers into Splun...

bsantosh · ‎07-23-2018

Hi, I am currently sending the Ansible jobs log data from Ansible server via Ansible external logging mechanism to Splunk Heavy Forwarder. At the Splunk Heavy Forwarder side, I am receiving the log data via HTTP Event Collector (Tokens) input method.
Finally, I will forward this log data from Heavy Forwarder to Splunk Cloud for indexing.
Similarly, Ansible jobs log data will be forwarded from multiple Ansible servers to Splunk Heavy Forwarder.

Please note that each of the Ansible server will write the log data to 8088 port and HTTP Event Collector configured on Splunk Heavy Forwarder will fetch this log data by reading on port 8088.

Now, my question is it possible to fetch the hostnames of each of the Ansible servers from where the jobs log data is received in Splunk Heavy Forwarder. Please note that the jobs log data doesnt contain the hostnames info into it.

Flow is as below:

Ansible Server 1 (log data written to port 8088)
----> Heavy Forwarder (HTTP Event Collector reads log data from 8088) ---> Splunk Cloud for indexing
Ansible Server 2 (log data written to port 8088)

Thanks in advance.

thanks,
Santosh

jtacy · ‎07-25-2018

I would try setting connection_host = dns in the HTTP Event Collector token configuration on your Heavy Forwarder. I'm not sure it's possible to set this in the GUI so you may need to locate the correct inputs.conf in your Splunk installation and modify the file directly. You'll need to restart the Heavy Forwarder after making the change. For example, your token config might end up looking something like:

[http://ansible]
token = 75816337-22d2-4687-90dd-3c34d96ae61c
indexes = ansible
index = ansible
sourcetype = ansible
source = ansible
connection_host = dns

This assumes that there are appropriate PTR records for the IPs of interest in the DNS servers used by your Heavy Forwarder. The documentation for the connection_host setting is at http://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Inputsconf in the "HTTP Event Collector (HEC) - Local stanza for each token" section. Good luck!

View solution in original post

santosh_hb · ‎07-25-2018

Hi Jefrey, Thanks for your timely help. That worked. Now, I am able to see the ipaddress of Ansible servers in the host field.

But, the issue is currently it is displayed as 'host=ipaddress of Ansible Server'. Instead, I would like to display the hostname of Ansible server. i.e. host='hostname of Ansible Server'. Could you help me with that? Is it that I have to add/modify the props.conf and transforms.conf on Heavy Forwarder inside the HEC app. thanks, Santosh

jtacy · ‎07-25-2018

I would try setting connection_host = dns in the HTTP Event Collector token configuration on your Heavy Forwarder. I'm not sure it's possible to set this in the GUI so you may need to locate the correct inputs.conf in your Splunk installation and modify the file directly. You'll need to restart the Heavy Forwarder after making the change. For example, your token config might end up looking something like:

[http://ansible]
token = 75816337-22d2-4687-90dd-3c34d96ae61c
indexes = ansible
index = ansible
sourcetype = ansible
source = ansible
connection_host = dns

This assumes that there are appropriate PTR records for the IPs of interest in the DNS servers used by your Heavy Forwarder. The documentation for the connection_host setting is at http://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Inputsconf in the "HTTP Event Collector (HEC) - Local stanza for each token" section. Good luck!

bsantosh · ‎07-26-2018

Hi Jeff, the issue was with our PTR record creation. Now, the issue has been resolved and I can see the hostname of servers in the host field. Thank you very much for your help. regards, Santosh

Fetching of Hostname of Ansible servers into Splunk

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor