Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Prefix data sent from a forwarder

bluecloud
New Member
‎07-26-2012 05:43 AM

how do i prefix data comming from a Universal Forwarder... basically i want data comming from a collector at a client site to have "Client_Name-"$HOSTNAME

so that if this come from Company_ABC it would look like this in my dashboard

Company_ABC-192.168.10.254

Bump

Tags (1)
0 Karma
Reply

bluecloud
New Member
‎08-04-2012 03:18 PM

I was wondering if I could add data to the host depending on what forwarder out came from

I understand I can search but I would like to be able to add client specific data to each host that gets forwarded from a forwarder.

As in my original post or would be nice to add Company_ABC- as a prefix when a specific forwarder gathers data and sends to an indexer.

0 Karma
Reply

sandeep_at_func
Explorer
‎08-04-2012 03:36 PM

Since this is for a dashboard, your easiest option is to use a lookup table. It sounds like you know what the mapping is between the name Company_ABC and the host from which the data came from. You can just dump that into a csv file and call the lookup based on "host" at search time. You need not insert it at index time.

If you absolutely must insert it at index time, your only option is to do this at the indexer upon data arriva using a transforms stanza to insert the Company_ABC name; this approach is generally not recomended, but if you must have it that way, then use the transform.

0 Karma
Reply

sandeep_at_func
Explorer
‎08-04-2012 03:07 PM

You don't need to explicitly tell the forwarder to send the host name of the machine from where the data is coming from. Splunk handles that by default. The field name is "host".

So for example, if you wanted to see a full listing of al the hosts that are sending data to your Indexers, you can execute a query like this:

index=* | dedup host | table host

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...