Getting Data In

Assign environment and role data to a monitor stanza

feedmagnet
New Member

Hello, I am test driving splunkstorm and I am very new to the ecosystem. Here is what I am trying to do:

I have web_host, magnet_host, db_host as kinds of machines.
I have prod_tiny, prod_small, prod_large for environments

i would like to do something like this:

Set some search criteria
[monitor]
chef_environment=dev
role=magnet_host
Grab syslog to let us know when OOM becomes active
[monitor:///var/log/syslog]
Grab all our application logs
monitor:///var/log/feedmagnet/]

so that the input from this magnet_host is indexed so I can search on just that while it is also indexed on the environment "dev" so I can also search that way as well.

My goal is to say

  • "see if this error is common to webservers across all environments"
  • "see if I am getting any errors in prod_tiny with the release b/f I release to prod_small"

and so on.

Thanks for your time in answering my obviously noob question!
Boyd

Tags (2)
0 Karma

Ayn
Legend

It sounds like you would benefit from using tags. You can tag hosts with things like what environment you consider them to belong to. inputs.conf is strictly for defining inputs, not for classifying them in any other way than what source, sourcetype or index they'll belong to.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Abouttagsandaliases

0 Karma

Ayn
Legend

Unfortunately (in your situation that is) tagging is a search-time operation and as such only settings on the Splunk instance you're searching from matter. Also Universal Forwarders can't do any event transforming so things like adding custom fields to all events are out of the question as well.

0 Karma

feedmagnet
New Member

Thanks for the direction Ayn! This was a start in the right direction I think. After reading a few more pages on tagging I landed on Tag the host field.

I have ~200 machines. They cloud based and transient. So the above tells how to tag in the GUI. I want the forwarder installed on the machine to do the tagging. So I am still stuck at how does the machine identify itself as a certain kind and in a certain environment.

Any more insight would be greatly appreciated.

Thanks
Boyd

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...