how do i prefix data comming from a Universal Forwarder... basically i want data comming from a collector at a client site to have "Client_Name-"$HOSTNAME
so that if this come from Company_ABC it would look like this in my dashboard
You don't need to explicitly tell the forwarder to send the host name of the machine from where the data is coming from. Splunk handles that by default. The field name is "host".
So for example, if you wanted to see a full listing of al the hosts that are sending data to your Indexers, you can execute a query like this:
index=* | dedup host | table host
I was wondering if I could add data to the host depending on what forwarder out came from
I understand I can search but I would like to be able to add client specific data to each host that gets forwarded from a forwarder.
As in my original post or would be nice to add Company_ABC- as a prefix when a specific forwarder gathers data and sends to an indexer.
Since this is for a dashboard, your easiest option is to use a lookup table. It sounds like you know what the mapping is between the name Company_ABC and the host from which the data came from. You can just dump that into a csv file and call the lookup based on "host" at search time. You need not insert it at index time.
If you absolutely must insert it at index time, your only option is to do this at the indexer upon data arriva using a transforms stanza to insert the Company_ABC name; this approach is generally not recomended, but if you must have it that way, then use the transform.