What would a props/transform look like on an indexer that would append to the hostname field at index time based on the serverclass of the forwarder sending events?
If we are launching different serverclasses into specific interfaces, then setting the regex in the serverclass to mark those as "web servers" to push out deployment apps etc. What is the best practice if you don't want to actively manipulate the inputs host = stanza on the forwarders, to basically add a string in front of the auto reported IP for the host name that the forwarder assigns at index time?
You need to play around with server.conf
:
I am pretty sure that if you deploy this setting BEFORE you start splunk the first time, it will initialize the way that you are asking:
serverName=web-$COMPUTERNAME
In any case, you can DEFINITELY edit the setting post-install in $SPLUNK_HOME/etc/system/local/server.conf
and set it there and everything that that host sends in will be updated for all events (even the internal index=_*
ones).
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf
Do you really mean serverclass
in your question? This is a highly unusual (and really impossible) request, at least if taken literally. If what you mean is to create a series of deployment apps
, each of which maps to a specific serverclass, and each of which has a particular hostname override
, then this is very doable and there is a ton of documentation on each of the 2 steps. Which step is giving you trouble?
I was overthinking it I believe, however I am a little confused over the last step.
Basically let the forwarder auto assign the hostname, which in our case would be the IP
It then phones home, where the deployment server maps its serverclass and pushes the assigned apps out.
In the inputs of those assigned apps we just set the host name.
If the auto assigned for example is 10.2.5.120, how would you go about creating a stanza that basically did this in the inputs sent out to that forwarder?
[default]
host = web-<auto assigned host>
for a host set in splunk for events coming from that server as host = web-10.2.5.120