Splunk Enterprise

Prefix data sent from a forwarder

bluecloud
New Member

how do i prefix data comming from a Universal Forwarder... basically i want data comming from a collector at a client site to have "Client_Name-"$HOSTNAME

so that if this come from Company_ABC it would look like this in my dashboard

Company_ABC-192.168.10.254

Bump

Tags (1)
0 Karma

bluecloud
New Member

I was wondering if I could add data to the host depending on what forwarder out came from

I understand I can search but I would like to be able to add client specific data to each host that gets forwarded from a forwarder.

As in my original post or would be nice to add Company_ABC- as a prefix when a specific forwarder gathers data and sends to an indexer.

0 Karma

sandeep_at_func
Explorer

Since this is for a dashboard, your easiest option is to use a lookup table. It sounds like you know what the mapping is between the name Company_ABC and the host from which the data came from. You can just dump that into a csv file and call the lookup based on "host" at search time. You need not insert it at index time.

If you absolutely must insert it at index time, your only option is to do this at the indexer upon data arriva using a transforms stanza to insert the Company_ABC name; this approach is generally not recomended, but if you must have it that way, then use the transform.

0 Karma

sandeep_at_func
Explorer

You don't need to explicitly tell the forwarder to send the host name of the machine from where the data is coming from. Splunk handles that by default. The field name is "host".

So for example, if you wanted to see a full listing of al the hosts that are sending data to your Indexers, you can execute a query like this:

index=* | dedup host | table host

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...