Deployment Architecture

Can we change the host name of the forwarder before indexing?

Splunksc
Loves-to-Learn

We have 100 hosts and for all these hosts we want to append a keyword to the host name. for example, hostnames are TEST1, TEST2 and TEST3 and we want to add a keyword called APP, so the final host's name will be like APPTEST1, APPTEST2 and APPTEST3. Can we do this at UF level?

Note- we don't want to do this based on source and source type at HF level because of the default source and source types.

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

UF does only simple ingestion and generally does not modify the events. You can set your metadata to a static value but not calculate it dynamicaly.

Your non-splunk solution would be to use a third-party provisioning software (like ansible, chef or puppet) to prepare your UF configs dynamically so that the host setting at the UF level or even a single input is set to this dynamic value.

Alternatively, you can do an index-time rewrite of your metadata with a transform similar to what @gcusello presented, just tied to a group of hosts with a matching pattern - see https://docs.splunk.com/Documentation/Splunk/Latest/Admin/Propsconf#GLOBAL_SETTINGS

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Splunksc,

you have two choices:

  • force hostname at Forwarder level, but it's complicated is you have many forwarders.
  • Otherwise the only solution is to override host value on event basis on the Heavy Forwarder.

There's also a workaround: you could create a calculated field that override the host vale at search time, not at index time.

the easiest solution is the override the host value when you encounter one of the hosts that you don't want:

on props.conf (of Heavy Forwarder:

[host::TEST1]
TRANSFORMS-override_host = override_host
[host::TEST2]
TRANSFORMS-override_host = override_host
[host::TEST3]
TRANSFORMS-override_host = override_host
[host::TEST4]
TRANSFORMS-override_host = override_host

on transforms.conf on Heavy Forwarder:

[override_host]
SOURCE_KEY = MetaData:Host
REGEX = .*
FORMAT = host::APP$1
DEST_KEY = MetaData:Host

 Ciao.

Giuseppe

0 Karma

rhirasin
Engager

We have N number of host , so we cannot use the static host with props.conf

we need something dynamic.  Also we should consider the default source type like winhost.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...