Deployment Architecture

Can I classify the set of forwaders sending input data to indexers?

splunker_123
Path Finder

Hi

We have a splunk indexer installed on a linux machine and there are around 80 universal forwader agents installed on differnt linux/windows machines which is sending data to indexer

All the forwaders are installed on WAS or WMB machines which sends data to indexer- We have three enviroments - two pre-prod and one prod- so now when I go to search app in splunk web all the 80 host names are just listed one after the other under hosts section. I want to classify them according the enviroments that is installed at the moment.Say For eg: If I go to search app I should see the environment name such as Dev- Quality Control and production under hosts.If I click on Dev,is should display all the dev servers and same as other env as well

Is it pcssibl to achieve this - if so what I have to do?

Thanks

Tags (2)
0 Karma

DaveSavage
Builder

splunker_123, I came across another solution to your challenge, if you haven't aleady sorted it out as we had a similar but not identical issue.
On the indexer edit your \local version of transforms.conf inserting
[setIndexMeta]
REGEX = (.)
DEST_KEY = _MetaData:Index
FORMAT = yournewindexname
and in \local\ props.conf:
[host::host1]
TRANSFORMS-setIndexMeta = setIndexMeta
[host::host2] etc

This means you can run separate indexes for your Dev, Quality Control and Prod env's.
Credits to our business partner Eqalis.

0 Karma

DaveSavage
Builder

There are ways. Are you using heavy forwarders? If so then use routing based on source to different indexers. CLI into your output.confs file (local)allows for customisation. Splunk help on the Linux version is pretty useful for params.
Receiving (back on the indexer m/c) through Manager> Data Inputs and using different ports say for dev / live might assist, or syslogs....but either way I may be pointing you to something you already know, or are looking at 80 hosts and thinking 'not'!

0 Karma

DaveSavage
Builder

Yes - it helps...but if I were you I'd split out dev from live..ok so its 2 dashboards to monitor but the live stuff won't be cluttered...create a new Splunk instance...and then split out your *nix traffic from your windows by different ports...and app depending upon what you are doing with your data. If there are security implications on live then it it has merit.

0 Karma

splunker_123
Path Finder

Are you saying that creating and assigning different group in outputs.conf will show classfication in splunkweb?

My original question was ,I'm not worried from admin point of view ,I want the end users to identify which server belong to which environment
when they look into list of host files through splunkweb

0 Karma
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...