Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I tag or mark _internal events from different environments?

sniderwj
Explorer
‎04-05-2017 07:42 AM

We have a requirement to collect data from testing enclaves (that have copies of production devices) to our primary Splunk environment. I have event data going to a separate index through a heavy forwarder. What I am concerned about is the Internal index. I will need to track if I have Splunk UFs on clients in the enclave. Is there a way to mark or tag the data coming through the Heavy Forwarder to indicate that it is coming from that testing environment?

Tags (1)
0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎04-05-2017 11:04 AM

One of the options you have is to add a metadata field to the events, which will require you to update forwarder configuration whenever a host moves between environments. Here is an answer that describes the process.

An alternative approach is to create (and - the tricky part - maintain) a lookup file that maps host names to enclave at search time.

0 Karma
Reply

somesoni2
Revered Legend
‎04-05-2017 08:59 AM

Do the UFs on Testing enclaves follow any particular naming conventions (basically how can you differentiate a UF from Primary vs UF from testing enclave)? How are those UF's receiving configurations, deployment servers or direct?

0 Karma
Reply

sniderwj
Explorer
‎04-05-2017 09:33 AM

The flow of data from the Enclave is UF --> Heavy Forwarder --> Production Splunk --> Enclave Specific Index

They are copying devices into the enclave from production so we will have duplicate names (host names and domain names) between the enclaves and in production.

I guess the easiest place would be to hit the events at the HF layer but I'm unsure how I can do that.

0 Karma
Reply

niketn
Legend
‎04-05-2017 08:46 AM

Can you try the dbinspect command? Following is a sample which may suit your need.

| dbinspect index=_internal 
| stats sum(eventCount) as eventCount by splunk_server
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...