Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Distinguish which Heavy Forwarder an event passed through?

adamsmith47
Communicator
‎07-06-2018 08:43 AM

Hello,

I've been looking through documentation and other answers, and would like some ideas on our specific use case.

Essentially, we have 1 Search Head, 1 Indexer, a dozen Heavy Forwarders, and each Heavy Forwarder has an arbitrary and continuously changing number of UFs sending them data. All running 6.7.7.

We are in a situation where we would like to deploy conf files to heavy forwarders/indexer/search head as needed, so we can identify which heavy forwarder each event has passed through. Ideally we would do this without affecting the current parsing happening to the events, which means I'm not comfortable altering the _raw (as I've seen mentioned in some answers) by appending information to the _raw at the Heavy Forwarders, and then extracting the field at index time onto indexers, or search time at search heads.

Looking at suggestions on this post, I have a couple questions: https://answers.splunk.com/answers/1453/how-do-i-add-metadata-to-events-coming-from-a-splunk-forward...

What would adding this to inputs.conf on a Heavy Forwarder do for us? Is this useful?

[default]
disabled = 0
_meta = Terminal::1

Perhaps instead something like, on the Heavy Forwarder inputs.conf:

[default]
location = mylocation

then on Indexer, props.conf:

[default]
TRANSFORMS-location = addlocation

and transforms.conf:

[addlocation]
SOURCE_KEY = location
REGEX = (.*)
FORMAT = location::$1
WRITE_META = true

Any insight and advice is greatly appreciated.
Thank you!

Reply

lindonmorris
Explorer
‎10-27-2020 07:42 PM

Just wondering if you ever worked out the best solution for this? I have the exact same requirement

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...