Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to send host grouping information from a forwarder?

d044160
Explorer
‎01-15-2015 09:46 AM

In an inputs.conf I can define a forwarder's host field which I can use in searches. Identifying a single host is not always enough, e.g., we have build servers, source code management servers, filers etc. to monitor - a kind of grouping would come in handy in order to limit searches to a certain group of hosts. We could do that by maintaining lists and using them as look-ups, but I was wondering whether there's the possibility to achieve that on the forwarder with just configuration. Example:

inputs.conf on host A:



host=hosta

group=build_servers

inputs.conf on host B:


host=hostb

group=git_servers

I want to be able to search for something like 

search host=* group="build_servers" sourcetype="df" ... | ...

Is there a way to do this?

0 Karma
Reply

srioux
Communicator
‎01-15-2015 12:40 PM

Splunk records pretty limited information per-event; your best bet would be to either have a lookup field (which you mentioned may not work), filters as a set of macros or eventtypes (again, based on static info), or to have it built-in to one of the default metadata-scraped fields:

  • Have it built-in to the "host" field (ex: have domain portions of the FQDN identify grouping)
  • Have it built-in to the "source" field (ex: prefix/suffix source value with a tag - I've seen this done where we had "grouping" built-in to the directories of the log files we were scraping)
  • Have it built-in to the "sourcetype" field (entirely dependent on your environment, but I'd generally prefer to have slightly broader sourcetypes)
0 Karma
Reply

d044160
Explorer
‎01-16-2015 06:52 AM

I almost suspected that. Thanks for summarizing my options ... "host" and "source" won't work because those are outside my jurisdiction (I don't own the monitorees) and I agree, abusing "sourcetype" for that purpose would harm "sourcetype" as a more or less well-known concept in my Splunk deployment.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...