Solved: Is there a way to get the <hostname_HF> automatica...

dkeck · ‎07-12-2021

HI,

I try to figure out a way to create a new field on a heavy forwarder. I want to add the field "splunk_parser" to every event, like the field "splunk_server", to be able to understand where an event was parsed and from which HF the event is coming.

The best way would be to get the hostname from the linux machine directly. For a small amount of HF I could specify the hostname manually, but not for a bigger number of HFs.

So what I came up with is this:

props.conf
[host::*]
TRANSFORMS-splunk_parser= splunk_parser_ext


transforms.conf
[splunk_parser_ext]
INGEST_EVAL = splunk_parser="<hostname_HF>"

fields.conf
[splunk_parser]
INDEXED=true

Is there a way to get the <hostname_HF> automatically assigned? with a token or extracted from the default fields?!

Any hint is highly appreciated.

Thank you

David

jotne · ‎02-07-2022

You are close 🙂

We also needed to get the name of the HF the data passed, so here is the solution we found.

Make an app and send it to all HF servers:

transforms.conf
[set_hf_server_name]
INGEST_EVAL = splunk_hf_name := splunk_server

props.conf
[source::...]
TRANSFORMS_set_hf_server_name = set_hf_server_name

source:...
mens do some with any packet passing this server

INGEST_EVAL = splunk_hf_name := splunk_server
get the name of the current Splunk server and set it to the field splunk_hf_name

View solution in original post

jotne · ‎02-07-2022

You are close 🙂

We also needed to get the name of the HF the data passed, so here is the solution we found.

Make an app and send it to all HF servers:

transforms.conf
[set_hf_server_name]
INGEST_EVAL = splunk_hf_name := splunk_server

props.conf
[source::...]
TRANSFORMS_set_hf_server_name = set_hf_server_name

source:...
mens do some with any packet passing this server

INGEST_EVAL = splunk_hf_name := splunk_server
get the name of the current Splunk server and set it to the field splunk_hf_name

dkeck · ‎02-08-2022

Hi,

thank you for the solution, works great 🙂

jotne · ‎02-08-2022

You are welcome.

We did this in two level. Server that do collect data (syslog/hec/Azure) get a field called splunk-collector-name. The data passing a set of heavy forwarders (to tag customer name and filtering) where we add a field called splunk-hf-name. This way we can see what syslog server it passes and what heavy forwarder. Also easy to see if load balanse og syslog/hf etc works fine.

dkeck · ‎11-04-2022

did you get this working for UFs as well? If the UF is an intermediate Forwarder or syslog forwarder.

I have the fealing they don´t have a "splunk_server" field to use.

jotne · ‎11-04-2022

I have not tried it on UF. All UF do have a hostname that you will see. Syslog that sends to a server do not have a hostname directly (if its not set in the packet it self).

dkeck · ‎07-15-2021

hm, no one?

Any other way to get this done with another approach?

Is there a way to get the <hostname_HF> automatically assigned, with a token or extracted from the default fields?

field extraction

heavy forwarder

Linux

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)