Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

What is the best practice for configuring a Splunk Forwarder 5.0.3 for custom fields to be appended to the source?

JKnightSplunk
Engager
‎02-24-2016 07:01 AM

Hi all,

I'm looking to add some custom fields to the Splunk Forwarder, but am struggling to find the a way of achieving this and determine the best way for performance.

Could I please get an example of configuring this through the forwarder for two additional fields to be appended to the source only to be retrieved through search with these values. Additionally, these two fields should be able to be populated through a script as this value will reside within a file on the server the forwarder resides.

Thanks in advance for any input.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-25-2016 09:27 AM

Splunk has a server name that it stores in $SPLUNK_HOME/etc/system/local/server.conf and in $SPLUNK_HOME/etc/system/local/inputs.conf

The server name in inputs.conf is the one that is automatically set as the host field for data, unless you specifically override it:

[default]
host = the_host_name

In AWS, I believe that you can have a "run once" script that runs when a new instance is started for the first time. That would be the perfect place to set the host name to whatever you want. And the host name will be part of the data that is collected for every input.

On the search head (or indexer if there is no search head), you can create search time fields based on the host name using props.conf.

Actual "custom fields" (for example, where additional fields are added to a log file) are not easy to do in Splunk. Another approach, which might be better: collect instance information as a separate input, and then use it as part of a search or a lookup table. The best way to do this is probably a scripted input. You write a script that collects the data that you want; the input then runs the script at intervals and Splunk indexes the output of the script.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-25-2016 09:27 AM

Splunk has a server name that it stores in $SPLUNK_HOME/etc/system/local/server.conf and in $SPLUNK_HOME/etc/system/local/inputs.conf

The server name in inputs.conf is the one that is automatically set as the host field for data, unless you specifically override it:

[default]
host = the_host_name

In AWS, I believe that you can have a "run once" script that runs when a new instance is started for the first time. That would be the perfect place to set the host name to whatever you want. And the host name will be part of the data that is collected for every input.

On the search head (or indexer if there is no search head), you can create search time fields based on the host name using props.conf.

Actual "custom fields" (for example, where additional fields are added to a log file) are not easy to do in Splunk. Another approach, which might be better: collect instance information as a separate input, and then use it as part of a search or a lookup table. The best way to do this is probably a scripted input. You write a script that collects the data that you want; the input then runs the script at intervals and Splunk indexes the output of the script.

Reply
Solved! Jump to solution

lguinn2
Legend
‎02-24-2016 05:35 PM

Can you explain the data a little more specifically? What is in the source, and what are the additional fields? Can the additional fields be computed from any information in the source input?

0 Karma
Reply
Solved! Jump to solution

JKnightSplunk
Engager
‎02-25-2016 01:44 AM

Hi lguinn,

The device is instantiated through an AWS AMI which has the Splunk forwarder installed. I've configured the Splunk host name to give more details than the AMI number such as - which will only need to be set once along with some additional data such as the IP and instance-id. We'd prefer this additional data was able to be queried via fields of these names.

Any best way of configuring the host name without external tools would be appreciated too.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...