Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I Host name override HTTP Event Collector?

dsfyxcasdcertzu
Explorer
‎04-04-2023 08:56 AM

Hello,

We're running localhost Http Event Collectors on UF for Docker Containers on the same host. However I'm unable to override the hostname from these Events. Unfortunately there is no flag to do so in the docker daemon. Therefor I've tried to do it on the Forwarder as well as on the indexer. Both unsuccessful.

On the Forwarder:

/opt/splunkforwarder/etc/apps/splunk_httpinput/default/inputs.conf

 

[http]
host = wantedHostName
disabled=0
port = 8088
enableSSL=0
dedicatedIoThreads=2
maxThreads = 0
maxSockets = 0
useDeploymentServer=0

 

/opt/splunkforwarder/etc/apps/splunk_httpinput/local/inputs.conf

 

[http://localhost]
host = wantedHostName
description = <desc>
disabled = 0
index = main
token = <token>
useACK = false

 


On the indexer:

/opt/splunk/etc/system/local/props.conf

 

[host::badHostName]
TRANSFORMS-badhost = badHostName

 

/opt/splunk/etc/system/local/transforms.conf

 

[badHostName]
DEST_KEY = MetaData:Host
REGEX = *
FORMAT = host::wantedHostName

 

 

None of these work. Can someone please help us out?

Cheers!

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-05-2023 09:23 PM

What kind of forwarder do you have there? UF doesn't have HEC inputs. HF parses events so they're sent as parsed to the downstream indexers and are _not_ parsed anymore.

Reply

dsfyxcasdcertzu
Explorer
‎04-06-2023 01:18 AM
@PickleRick wrote:

HF parses events so they're sent as parsed to the downstream indexers and are _not_ parsed anymore.

This would be the answer btw. I'm confident that UF does it in the same way when using the `\event` endpoint. However Transforms on UF are not supported as far as I know.

0 Karma
Reply

dsfyxcasdcertzu
Explorer
‎04-06-2023 01:03 AM

Hi, @PickleRick ,

I'm indeed running UF v9.0.4. on a Linux client. I know that HEC on UF is not supported on paper but since the app was pre-shipped in the bundle I've tried it and it works just fine. Also in on other (Linux-) machines.


This way we don't have to mess with certificates for docker logs because the port is http and localhost only on the client with it the outputs getting securely forwarded with the other outputs of the UF.

Nonetheless, transforming attempts were done on the indexer.

Best


0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-06-2023 02:10 AM

I must say I'm puzzled. HEC is not supposed to work on UF. If it is, I'm wondering myself what data it sends downstream because since it's a non-parsing component it should just send cooked data and parsing should be done on the first "heavy" component in event's path. So if you're sending to indexers, the events should be properly modified there according to props/transforms.

Anyway, the default metadata fields manipulation can sometimes be tricky. I always add WRITE_META to the transform stanza.

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎04-05-2023 09:08 PM

Hi @dsfyxcasdcertzu,

Yes, raw endpoint causes message to change. You can try using env field for setting correct hostname. It will not change host value but you will be able to query the real hostname.

https://docs.docker.com/config/containers/logging/splunk/

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

dsfyxcasdcertzu
Explorer
‎04-05-2023 10:47 AM

Thank you @scelikok  for your quick response!

So essentially there is no way to override the host name when using the default docker/splunk logging  driver.
I've tried the extended docker-logging-plugin with the (undocumented) path flag in combination with the raw endpoint of HEC but this would prerequisite to transform the complete transactions content.

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎04-05-2023 04:11 AM

Hi @dsfyxcasdcertzu,

To run transform for HEC inputs, your client application must use "raw" endpoint on HEC output.  If you are using "event" endpoint it is not possible to change anything on the data.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-05-2023 09:17 PM

Sorry, but I strongly disagree here. HEC is just another input and it the event goes through most of the processing stages. It bypasses line breaking and - unless explicitly enabled by url parameter - date parsing.

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎04-06-2023 03:56 AM

Hi @PickleRick,

It is not stated in documents but HEC event endpoint skips TRANSFORMS.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-06-2023 05:22 AM

Sorry, but no. Whole functionality of SC4S (or my rsyslog-based solution) depends on transforms working properly on HEC-based events. So no. Transforms do work normally on HEC-ingested data.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...