Perhaps I'm missing out on something but I haven't found details in the Splunk documentation about how we can setup generic universal forwarders that know "magically" on what deployment client they're running on.
We have a mixed environment with different breed of application servers and we'd want to centrally distribute a universal forwarder configuration that upon deployment (or later) would be intelligent enough to send log data with the correct syntax to the indexer.
All I've found so far is examples where parameters are hard coded but nothing dynamic.
How can we achieve this, is there a way to parametrize the forwarders during deployment (i.e. Forwarder_X will run on a Tomcat host, Forwarder_Y will run on an Orion Server host)?
One idea I haven't tried is with defining different server classes. After a successful deployment of forwarders one changes the inputs.conf settings on the deployment server centrally. Then a reload of server class:
./splunk reload deploy-server -class [server-class-name]
...would trigger an update of all forwarders and with that, we'd end up with client specific forwarders.
... View more