wildcard in inputs.conf splunktcp stanza?

mark · ‎01-18-2012

Hi guys,

Is it possible to limit a splunk receiver via host wildcard.

So curently I have in inputs.conf
[splunktcp://9997]

I want to limit this strictly to various hosts only: So I can do this in inputs.conf:
[splunktcp//:lin01:9997]
[splunktcp//:lin02:9997]
[splunktcp//:lin03:9997]

How is it now possible to limit this via a wildcard, ie. only receive allow receive for hostnames begining with (whitelist) 'lin' (linux in my case) and not recieve data from a host called 'win01'?

Is this possible?

Thanks..

hexx · ‎01-18-2012

Judging from experience and (most importantly) from the inputs.conf.spec file, I don't believe that wildcards are accepted here.

An easy way to test this would be to attempt to set this up with a wildcard, up the log level of the TcpInputProc channel to DEBUG in $SPLUNK_HOME/etc/log.cfg and see what turns up in splunkd.log when you restart splunkd and the input is set up.

wildcard in inputs.conf splunktcp stanza?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

wildcard in inputs.conf splunktcp stanza?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future