Deployment Architecture

Can I classify the set of forwaders sending input data to indexers?

splunker_123
Path Finder

Hi

We have a splunk indexer installed on a linux machine and there are around 80 universal forwader agents installed on differnt linux/windows machines which is sending data to indexer

All the forwaders are installed on WAS or WMB machines which sends data to indexer- We have three enviroments - two pre-prod and one prod- so now when I go to search app in splunk web all the 80 host names are just listed one after the other under hosts section. I want to classify them according the enviroments that is installed at the moment.Say For eg: If I go to search app I should see the environment name such as Dev- Quality Control and production under hosts.If I click on Dev,is should display all the dev servers and same as other env as well

Is it pcssibl to achieve this - if so what I have to do?

Thanks

Tags (2)
0 Karma

DaveSavage
Builder

splunker_123, I came across another solution to your challenge, if you haven't aleady sorted it out as we had a similar but not identical issue.
On the indexer edit your \local version of transforms.conf inserting
[setIndexMeta]
REGEX = (.)
DEST_KEY = _MetaData:Index
FORMAT = yournewindexname
and in \local\ props.conf:
[host::host1]
TRANSFORMS-setIndexMeta = setIndexMeta
[host::host2] etc

This means you can run separate indexes for your Dev, Quality Control and Prod env's.
Credits to our business partner Eqalis.

0 Karma

DaveSavage
Builder

There are ways. Are you using heavy forwarders? If so then use routing based on source to different indexers. CLI into your output.confs file (local)allows for customisation. Splunk help on the Linux version is pretty useful for params.
Receiving (back on the indexer m/c) through Manager> Data Inputs and using different ports say for dev / live might assist, or syslogs....but either way I may be pointing you to something you already know, or are looking at 80 hosts and thinking 'not'!

0 Karma

DaveSavage
Builder

Yes - it helps...but if I were you I'd split out dev from live..ok so its 2 dashboards to monitor but the live stuff won't be cluttered...create a new Splunk instance...and then split out your *nix traffic from your windows by different ports...and app depending upon what you are doing with your data. If there are security implications on live then it it has merit.

0 Karma

splunker_123
Path Finder

Are you saying that creating and assigning different group in outputs.conf will show classfication in splunkweb?

My original question was ,I'm not worried from admin point of view ,I want the end users to identify which server belong to which environment
when they look into list of host files through splunkweb

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.