Is there a unique ID assigned to each forwarder to...

sakarunanitk · ‎04-05-2016

Hi,

I have set up multiple forwarders sending events to a remote indexer. I am going to use the indexed data for further processing,. I wanted to know if there is a unique id assigned to each forwarder which will help me in knowing from which forwarder that indexed data belongs to.

Thanks,
Saravana Prabhu K

mcronkrite · ‎04-05-2016

You can add any value you want as an indexed field. You need to setup a WRITE_META in a props/transform like this.

props.conf

[mysourcetype]
TRANSFORMS-add_hostfwd = add_indexedfield

transforms.conf

[add_indexedfield]
WRITE_META = true
DEST_KEY = _meta
FORMAT = host_forwarder::$1
DEFAULT_VALUE = 123

fields.conf

[host_forwarder]
INDEXED = true

http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/Configureindex-timefieldextraction

But
You shouldn't run multiple forwarders on the same host, instead use index and sourcetypes in your inputs to segregate data or accept data from different inputs. The universal forwarder can listen on many ports, so lots of options around using the multiple instances.

sakarunanitk · ‎04-06-2016

Thanks for the update

somesoni2 · ‎04-05-2016

Each forwarder will be assigned a "host" name and by default the same "host" (metadata) field will be available in all events/indexed data. The host field value may get updated (using transform/host regex on inputs.conf etc.) depending upon your configuration setup.

sakarunanitk · ‎04-05-2016

Thanks for the info. But if there are multiple forwarders running on the same host?

Is there a unique ID assigned to each forwarder to help me determine from which forwarder certain indexed data belongs to?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!