Is there a way to send a unique system ID from a forwarder to a Splunk indexer along with the logs?
I have some Windows and Linux systems that may get their hostname and IP changed, but would always keep the same unique ID number regardless of other system changes. i'd like to include that ID in some fashion with the logs themselves so I can use that for search on the indexer.
In a perfect world, I'd like to just include a stanza in the forwarder configuration file and the info gets sent out- but unsure where the best place would be to configure that at.
Thanks for any input, or which direction to go with this.
edit and resolution
It looks like I was looking for scripted inputs to send the data to my Indexer.
I created a .bat script named guid.bat that returns the information I want to see, all on one line. Next, I added the following entry to the inputs.conf and restarted Splunk.
[script://C:\Program Files\Splunk\etc\system\bin\guid.bat] interval = 60 sourcetype = myguid index = my_indexname_here disabled = false
Every 60 seconds, Splunk will make an entry to the indexer with the information I'm looking for.
We have a way to do this and I've provided a link below to it.
You'll simply need to inject a HEADER into your file that might look like this:
NOTE: Keep in mind that you'll need to inject this HEADER before you index the file and that Splunk will only honor this new metadata for events that happen in the file AFTER the header. Therefore, if you want all of your events in your file to have these new fields/values you'll need to put the HEADER at the beginning of your file.
Hope that helps.
Thanks for pointing me in the right direction! It looks like what I was looking for was scripted input. I have a script now which will send the GUID in with the rest of the logs to my indexer.
That should be enough information for me to match up logs, determine mis-matches and assist in troubleshooting.
Thanks again for all the assist
The method would be the same, more or less -- you need to be able to manipulate your source slightly before indexing. If you're indexing flat files that should be easy enough to accomplish with a batch script that will inject the HEADER in there. If you're talking .evt (Event Logs) I'm not sure how you would go about doing that beyond scripting your own script to solicit the API and inject your metadata before index time.