Getting Data In

Assign environment and role data to a monitor stanza

feedmagnet
New Member

Hello, I am test driving splunkstorm and I am very new to the ecosystem. Here is what I am trying to do:

I have web_host, magnet_host, db_host as kinds of machines.
I have prod_tiny, prod_small, prod_large for environments

i would like to do something like this:

Set some search criteria
[monitor]
chef_environment=dev
role=magnet_host
Grab syslog to let us know when OOM becomes active
[monitor:///var/log/syslog]
Grab all our application logs
monitor:///var/log/feedmagnet/]

so that the input from this magnet_host is indexed so I can search on just that while it is also indexed on the environment "dev" so I can also search that way as well.

My goal is to say

  • "see if this error is common to webservers across all environments"
  • "see if I am getting any errors in prod_tiny with the release b/f I release to prod_small"

and so on.

Thanks for your time in answering my obviously noob question!
Boyd

Tags (2)
0 Karma

Ayn
Legend

It sounds like you would benefit from using tags. You can tag hosts with things like what environment you consider them to belong to. inputs.conf is strictly for defining inputs, not for classifying them in any other way than what source, sourcetype or index they'll belong to.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Abouttagsandaliases

0 Karma

Ayn
Legend

Unfortunately (in your situation that is) tagging is a search-time operation and as such only settings on the Splunk instance you're searching from matter. Also Universal Forwarders can't do any event transforming so things like adding custom fields to all events are out of the question as well.

0 Karma

feedmagnet
New Member

Thanks for the direction Ayn! This was a start in the right direction I think. After reading a few more pages on tagging I landed on Tag the host field.

I have ~200 machines. They cloud based and transient. So the above tells how to tag in the GUI. I want the forwarder installed on the machine to do the tagging. So I am still stuck at how does the machine identify itself as a certain kind and in a certain environment.

Any more insight would be greatly appreciated.

Thanks
Boyd

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...