Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cant figure out how to set the index that splunk-forwarder sends to #205

Closed
MattWeatherford opened this issue Oct 26, 2018 · 5 comments
Closed

Cant figure out how to set the index that splunk-forwarder sends to #205

MattWeatherford opened this issue Oct 26, 2018 · 5 comments

Comments

@MattWeatherford
Copy link

Hi,
Im unable to figure out how to set the indexer that this puppet-splunk module will send data to.... I've got a splunk server with a "LINUX" index - how can I configure the forwarder to send to that index rather than default? Im using the universal fwder 7.2.0

And while Im at it, thank you for a great module - this has saved me so much time!

-Matt
@TheFuzz4
Copy link

Matt,
Did you ever figure this out? I just installed this module today and its amazing but I also cannot for the life of me figure out how to tell it which index to send the data into.

@MattWeatherford
Copy link
Author

No, I never sorted it out - I suspect it isnt supported

@dave-pollock
Copy link
Contributor

I haven't tested this, but wouldn't it be something like:

splunkforwarder_input { 'default/index':
  value => 'LINUX',
}

@MattWeatherford
Copy link
Author

YES- thank you @dave-pollock - this works! I've defined a splunk client role like this:

class { '::splunk::params':
server => 'mysplunk.domain.name.org'
}

class { '::splunk::forwarder':
package_ensure => 'latest',
}

            @splunkforwarder_input { 'default/index':
              value => 'linux',
            }

            @splunkforwarder_input { 'syslog-sourcetype':
              section => 'monitor:///var/log/syslog',
              setting => 'sourcetype',
              value   => 'linux_messages_syslog',
              tag     => 'splunk_forwarder'
            }
            @splunkforwarder_input { 'kernlog-sourcetype':
              section => 'monitor:///var/log/kern.log',
              setting => 'sourcetype',
              value   => 'linux_messages_syslog',
              tag     => 'splunk_forwarder'
            }

}

@troyfontaine
Copy link

Sorry to comment on this after closing-but I figured I'd add this to provide some clarification.

You can configure the index per monitor as well by doing the following:

@splunkforwarder_input { 'apache-sourcetype':
  section => 'monitor:///var/log/apache2/*.log',
  setting  => 'sourcetype',
  value     => 'apache',
  tag         => 'splunk_forwarder',
}

@splunkforwarder_input { 'apache-index':
  section => 'monitor:///var/log/apache2/*.log',
  setting  => 'index',
  value     => 'apache',
  tag         => 'splunk_forwarder',
}

This will create the added line on the input specified within the section value with the index you'd like to use. You can continue to use this same method to add additional input configuration for a specific monitor as long as you use a different resource title for each additional setting.

A somewhat more verbose default, that I find easier to understand would be:

@splunkforwarder_input { 'Set default index':
  section => 'default',
  setting  => 'index',
  value     => 'linux',
}

Following this same logic, you can add any other defaults you need by adding an additional block, setting the section to default and then specifying the setting and value that you want to apply across all of your indexes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@TheFuzz4 @troyfontaine @MattWeatherford @dave-pollock