Configuring the Splunk Forwarder - Ironstream_Hub - ironstream_for_kafka - ironstream_for_elastic - ironstream_for_splunk - 1.3

Ironstream Hub Administration

Product type
Product family
Ironstream > Ironstream for Kafka®
Ironstream > Ironstream for Elastic®
Ironstream > Ironstream for Splunk®
Ironstream > Ironstream Hub
Product name
Ironstream Hub
Ironstream Hub Administration
First publish date

To install the forwarder software on the Splunk forwarding server and connect it to the server or indexer refer to the Splunk documentation. After installation, follow these example steps after installation to add the files created by the Hub to the list of Sources for the forwarder:

  1. Edit the inputs.conf file in this directory:
    • On Linux: /Splunk installation directory/etc/system/local/
    • On Windows: \Splunk installation directory\etc\system\local\
    Note: Create a new inputs.conf file in this directory if it does not already exist.
  2. Add and edit these lines to the end of inputs.conf. These examples assume you are using the default file locations.
    Important: Make sure to use the appropriate \ or / for the environment in which the Hub is running.
    • On Linux:
      host_regex = .*\/(.*?)(?=\.)
      index = <index>
      sourcetype = _json
      disabled = false
    • On Windows:
      [monitor:// C:\\Program Files\\Precisely\\Ironstream Hub\\log.*<yourfilename>.*.log]
      host_regex = .*\\(.*?)(?=\.)
      index = <index>
      sourcetype = _json
      disabled = false
    • In the monitor statement:
      • Check that your data is being written to the directory shown. This example assumes that it is the default ‘log’ directory. If not, change it.
      • Set <yourfilename> to the same value you will use as the ‘File identifier’ for a File Target in the Hub UI. For more information, see the Defining Target section.
    • The host_regex statement moves past the path name and extracts the first part of a file name. This provides Splunk with the host name to associate with data. For example, if you run the Hub on Linux and the full file name and path is /opt/ihub/log/MyIBM.is4idata.2024-01-26-010203-456789000.log then this will extract the string MyIBMi as the host name.
    • Save the file and restart the Splunk forwarder.
      • On Linux: Splunk installation directory/bin/splunk restart
      • On Windows: Restart the Splunk Forwarder service “splunkd” from the Windows Services utility.