search

voxpupuli / puppet-splunk

Manage Splunk servers and forwarders using Puppet
https://forge.puppet.com/puppet/splunk
Apache License 2.0
41 stars 123 forks source link

Cant figure out how to set the index that splunk-forwarder sends to #205

Closed MattWeatherford closed 4 years ago

MattWeatherford commented 6 years ago

Hi, Im unable to figure out how to set the indexer that this puppet-splunk module will send data to.... I've got a splunk server with a "LINUX" index - how can I configure the forwarder to send to that index rather than default? Im using the universal fwder 7.2.0

And while Im at it, thank you for a great module - this has saved me so much time!

-Matt

TheFuzz4 commented 5 years ago

Matt, Did you ever figure this out? I just installed this module today and its amazing but I also cannot for the life of me figure out how to tell it which index to send the data into.

MattWeatherford commented 5 years ago

No, I never sorted it out - I suspect it isnt supported

dave-pollock commented 5 years ago

I haven't tested this, but wouldn't it be something like:

splunkforwarder_input { 'default/index':
  value => 'LINUX',
}
MattWeatherford commented 4 years ago

YES- thank you @dave-pollock - this works! I've defined a splunk client role like this:

class { '::splunk::params': server => 'mysplunk.domain.name.org' }

class { '::splunk::forwarder': package_ensure => 'latest', }

            @splunkforwarder_input { 'default/index':
              value => 'linux',
            }

            @splunkforwarder_input { 'syslog-sourcetype':
              section => 'monitor:///var/log/syslog',
              setting => 'sourcetype',
              value   => 'linux_messages_syslog',
              tag     => 'splunk_forwarder'
            }
            @splunkforwarder_input { 'kernlog-sourcetype':
              section => 'monitor:///var/log/kern.log',
              setting => 'sourcetype',
              value   => 'linux_messages_syslog',
              tag     => 'splunk_forwarder'
            }

}

troyfontaine commented 1 year ago

Sorry to comment on this after closing-but I figured I'd add this to provide some clarification.

You can configure the index per monitor as well by doing the following:

@splunkforwarder_input { 'apache-sourcetype':
  section => 'monitor:///var/log/apache2/*.log',
  setting  => 'sourcetype',
  value     => 'apache',
  tag         => 'splunk_forwarder',
}

@splunkforwarder_input { 'apache-index':
  section => 'monitor:///var/log/apache2/*.log',
  setting  => 'index',
  value     => 'apache',
  tag         => 'splunk_forwarder',
}

This will create the added line on the input specified within the section value with the index you'd like to use. You can continue to use this same method to add additional input configuration for a specific monitor as long as you use a different resource title for each additional setting.

A somewhat more verbose default, that I find easier to understand would be:

@splunkforwarder_input { 'Set default index':
  section => 'default',
  setting  => 'index',
  value     => 'linux',
}

Following this same logic, you can add any other defaults you need by adding an additional block, setting the section to default and then specifying the setting and value that you want to apply across all of your indexes.