Hi
We have a splunk indexer installed on a linux machine and there are around 80 universal forwader agents installed on differnt linux/windows machines which is sending data to indexer
All the forwaders are installed on WAS or WMB machines which sends data to indexer- We have three enviroments - two pre-prod and one prod- so now when I go to search app in splunk web all the 80 host names are just listed one after the other under hosts section. I want to classify them according the enviroments that is installed at the moment.Say For eg: If I go to search app I should see the environment name such as Dev- Quality Control and production under hosts.If I click on Dev,is should display all the dev servers and same as other env as well
Is it pcssibl to achieve this - if so what I have to do?
Thanks
splunker_123, I came across another solution to your challenge, if you haven't aleady sorted it out as we had a similar but not identical issue.
On the indexer edit your \local version of transforms.conf inserting
[setIndexMeta]
REGEX = (.)
DEST_KEY = _MetaData:Index
FORMAT = yournewindexname
and in \local\ props.conf:
[host::host1]
TRANSFORMS-setIndexMeta = setIndexMeta
[host::host2] etc
This means you can run separate indexes for your Dev, Quality Control and Prod env's.
Credits to our business partner Eqalis.
There are ways. Are you using heavy forwarders? If so then use routing based on source to different indexers. CLI into your output.confs file (local)allows for customisation. Splunk help on the Linux version is pretty useful for params.
Receiving (back on the indexer m/c) through Manager> Data Inputs and using different ports say for dev / live might assist, or syslogs....but either way I may be pointing you to something you already know, or are looking at 80 hosts and thinking 'not'!
Yes - it helps...but if I were you I'd split out dev from live..ok so its 2 dashboards to monitor but the live stuff won't be cluttered...create a new Splunk instance...and then split out your *nix traffic from your windows by different ports...and app depending upon what you are doing with your data. If there are security implications on live then it it has merit.
Are you saying that creating and assigning different group in outputs.conf will show classfication in splunkweb?
My original question was ,I'm not worried from admin point of view ,I want the end users to identify which server belong to which environment
when they look into list of host files through splunkweb