Getting Data In
Highlighted

wildcard in inputs.conf splunktcp stanza?

Path Finder

Hi guys,

Is it possible to limit a splunk receiver via host wildcard.

So curently I have in inputs.conf
[splunktcp://9997]

I want to limit this strictly to various hosts only: So I can do this in inputs.conf:
[splunktcp//:lin01:9997]
[splunktcp//:lin02:9997]
[splunktcp//:lin03:9997]

How is it now possible to limit this via a wildcard, ie. only receive allow receive for hostnames begining with (whitelist) 'lin' (linux in my case) and not recieve data from a host called 'win01'?

Is this possible?

Thanks..

Highlighted

Re: wildcard in inputs.conf splunktcp stanza?

Influencer

Judging from experience and (most importantly) from the inputs.conf.spec file, I don't believe that wildcards are accepted here.

An easy way to test this would be to attempt to set this up with a wildcard, up the log level of the TcpInputProc channel to DEBUG in $SPLUNK_HOME/etc/log.cfg and see what turns up in splunkd.log when you restart splunkd and the input is set up.

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.