Getting Data In

wildcard in inputs.conf splunktcp stanza?

Path Finder

Hi guys,

Is it possible to limit a splunk receiver via host wildcard.

So curently I have in inputs.conf
[splunktcp://9997]

I want to limit this strictly to various hosts only: So I can do this in inputs.conf:
[splunktcp//:lin01:9997]
[splunktcp//:lin02:9997]
[splunktcp//:lin03:9997]

How is it now possible to limit this via a wildcard, ie. only receive allow receive for hostnames begining with (whitelist) 'lin' (linux in my case) and not recieve data from a host called 'win01'?

Is this possible?

Thanks..

Splunk Employee
Splunk Employee

Judging from experience and (most importantly) from the inputs.conf.spec file, I don't believe that wildcards are accepted here.

An easy way to test this would be to attempt to set this up with a wildcard, up the log level of the TcpInputProc channel to DEBUG in $SPLUNK_HOME/etc/log.cfg and see what turns up in splunkd.log when you restart splunkd and the input is set up.