Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to send host grouping information from a forwarder?

d044160
Explorer
‎01-15-2015 09:46 AM

In an inputs.conf I can define a forwarder's host field which I can use in searches. Identifying a single host is not always enough, e.g., we have build servers, source code management servers, filers etc. to monitor - a kind of grouping would come in handy in order to limit searches to a certain group of hosts. We could do that by maintaining lists and using them as look-ups, but I was wondering whether there's the possibility to achieve that on the forwarder with just configuration. Example:

inputs.conf on host A:



host=hosta

group=build_servers

inputs.conf on host B:


host=hostb

group=git_servers

I want to be able to search for something like 

search host=* group="build_servers" sourcetype="df" ... | ...

Is there a way to do this?

0 Karma
Reply

srioux
Communicator
‎01-15-2015 12:40 PM

Splunk records pretty limited information per-event; your best bet would be to either have a lookup field (which you mentioned may not work), filters as a set of macros or eventtypes (again, based on static info), or to have it built-in to one of the default metadata-scraped fields:

  • Have it built-in to the "host" field (ex: have domain portions of the FQDN identify grouping)
  • Have it built-in to the "source" field (ex: prefix/suffix source value with a tag - I've seen this done where we had "grouping" built-in to the directories of the log files we were scraping)
  • Have it built-in to the "sourcetype" field (entirely dependent on your environment, but I'd generally prefer to have slightly broader sourcetypes)
0 Karma
Reply

d044160
Explorer
‎01-16-2015 06:52 AM

I almost suspected that. Thanks for summarizing my options ... "host" and "source" won't work because those are outside my jurisdiction (I don't own the monitorees) and I agree, abusing "sourcetype" for that purpose would harm "sourcetype" as a more or less well-known concept in my Splunk deployment.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...