Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is it possible to send host grouping information from a forwarder?

d044160
Explorer
‎01-15-2015 09:46 AM

In an inputs.conf I can define a forwarder's host field which I can use in searches. Identifying a single host is not always enough, e.g., we have build servers, source code management servers, filers etc. to monitor - a kind of grouping would come in handy in order to limit searches to a certain group of hosts. We could do that by maintaining lists and using them as look-ups, but I was wondering whether there's the possibility to achieve that on the forwarder with just configuration. Example:

inputs.conf on host A:



host=hosta

group=build_servers

inputs.conf on host B:


host=hostb

group=git_servers

I want to be able to search for something like 

search host=* group="build_servers" sourcetype="df" ... | ...

Is there a way to do this?

0 Karma
Reply

srioux
Communicator
‎01-15-2015 12:40 PM

Splunk records pretty limited information per-event; your best bet would be to either have a lookup field (which you mentioned may not work), filters as a set of macros or eventtypes (again, based on static info), or to have it built-in to one of the default metadata-scraped fields:

  • Have it built-in to the "host" field (ex: have domain portions of the FQDN identify grouping)
  • Have it built-in to the "source" field (ex: prefix/suffix source value with a tag - I've seen this done where we had "grouping" built-in to the directories of the log files we were scraping)
  • Have it built-in to the "sourcetype" field (entirely dependent on your environment, but I'd generally prefer to have slightly broader sourcetypes)
0 Karma
Reply

d044160
Explorer
‎01-16-2015 06:52 AM

I almost suspected that. Thanks for summarizing my options ... "host" and "source" won't work because those are outside my jurisdiction (I don't own the monitorees) and I agree, abusing "sourcetype" for that purpose would harm "sourcetype" as a more or less well-known concept in my Splunk deployment.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...