Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How can I set host for TCP input to deploy cli...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm using the configuration deployment server to manage a bunch of forwarders. One of the apps that they get has inputs.conf with a stanza like this
[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
I would like to do something to override the host to the forwarder machine address, but don't know if its possible. How would do this? Seems like it should be accessible since its effectively a constant.
[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = THISMACHINE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is that connections from the same machine (localhost) would not appear as the hostname from dns. It happens to be the case that all connections to this input are from localhost, so the following is an acceptable solution.
[tcp://12345]
connection_host = none # you need this
sourcetype = log4j
source = mysource
host = $decideOnStartup # and this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is that connections from the same machine (localhost) would not appear as the hostname from dns. It happens to be the case that all connections to this input are from localhost, so the following is an acceptable solution.
[tcp://12345]
connection_host = none # you need this
sourcetype = log4j
source = mysource
host = $decideOnStartup # and this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should not need to. Splunk relies on being able to determine the hostname from the inherent network configuration. It is a static part of the local machine configuration, not part of the generic app. At worst you could create local configs for each forwarder at install time (in $SPLUNK_HOME/etc/system/local) which in the absence of anything else will be taken as static value.
The Splunk configuration model is layered, allowing application configurations to override specific static default and static local configuration elements. Deployed configurations should only contain those elements which are generic and dynamic.
The Splunk deployment I manage used to have a lot more forwarder endpoints than it does now, relying as it did on cluster deployments. The hostname was never a factor.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The "forwarder" is the client forwarding logs to the indexer. Ordinarily this will be the initial source agent. Are you saying that in your case you have your generating source talking to an intermediate forwarder, which then passes logs on to the indexer, and it is this intermediary that you want recorded in the index as the source? If that is the case, you are talking about using "transforms" on the intermediary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like this should do it:
[tcp://12345]
connection_host = none
sourcetype = log4j
source = mysource
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems like this is what I am seeking
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsc
host =
- If set to '$decideOnStartup', will be interpreted as hostname of executing machine; such interpretation will occur on each splunkd startup. This is the default.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not quite following. My guess is that that what I have above in my app will use the host data of what is connecting to the TCP input. What I want is to override and use the hostname of the forwarder.
I get that I can do the following and the host field will be set to "THISMACHINE" but what I want is something like host = %HOSTNAME%. Is is possible to do this?
[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = THISMACHINE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
forgot to mention these are windows machines
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
