Getting Data In

Is there a unique ID assigned to each forwarder to help me determine from which forwarder certain indexed data belongs to?

sakarunanitk
Explorer

Hi,

I have set up multiple forwarders sending events to a remote indexer. I am going to use the indexed data for further processing,. I wanted to know if there is a unique id assigned to each forwarder which will help me in knowing from which forwarder that indexed data belongs to.

Thanks,
Saravana Prabhu K

0 Karma

mcronkrite
Splunk Employee
Splunk Employee

You can add any value you want as an indexed field. You need to setup a WRITE_META in a props/transform like this.

props.conf

[mysourcetype]
TRANSFORMS-add_hostfwd = add_indexedfield

transforms.conf

[add_indexedfield]
WRITE_META = true
DEST_KEY = _meta
FORMAT = host_forwarder::$1
DEFAULT_VALUE = 123

fields.conf

[host_forwarder]
INDEXED = true

http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/Configureindex-timefieldextraction

But
You shouldn't run multiple forwarders on the same host, instead use index and sourcetypes in your inputs to segregate data or accept data from different inputs. The universal forwarder can listen on many ports, so lots of options around using the multiple instances.

0 Karma

sakarunanitk
Explorer

Thanks for the update

0 Karma

somesoni2
Revered Legend

Each forwarder will be assigned a "host" name and by default the same "host" (metadata) field will be available in all events/indexed data. The host field value may get updated (using transform/host regex on inputs.conf etc.) depending upon your configuration setup.

sakarunanitk
Explorer

Thanks for the info. But if there are multiple forwarders running on the same host?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...