Configuring the Splunk Forwarder - ironstream_for_kafka - ironstream_for_splunk - ironstream_for_elastic - Ironstream_Hub - 1.3

Ironstream Hub Administration

Product type
Software
Portfolio
Integrate
Product family
Ironstream
Product
Ironstream > Ironstream for Kafka®
Ironstream > Ironstream Hub
Ironstream > Ironstream for Elastic®
Ironstream > Ironstream for Splunk®
Version
1.3
Language
English
Product name
Ironstream Hub
Title
Ironstream Hub Administration
First publish date
2022
Last updated
2024-11-07
Published on
2024-11-07T04:34:24.569004

Hub file targets write data, to the Log Directory, as a JSON formatted field and value pair, meaning any of the files created can be forwarded to Splunk via a Splunk Forwarder.

The filename will include the name of the Source that is being monitored followed by a creation date/time and the suffix of the file. The Splunk Forwarder will require an inputs.conf file to be configured so that it knows where the files are for forwarding and what files should be forwarded.

To install the forwarder software on the Splunk forwarding server and connect it to the server or indexer refer to the Splunk documentation. After installation, follow these example steps after installation to add the files created by the Hub to the list of Sources for the forwarder:
  1. Edit the inputs.conf file in this directory:
    • On Linux: /Splunk installation directory/etc/system/local/
    • On Windows: \Splunk installation directory\etc\system\local\
    Note: Create a new inputs.conf file in this directory if it does not already exist.
  2. Add and edit these lines to the end of inputs.conf. These examples assume you are using the default file locations.
    Important: Make sure to use the appropriate \ or / for the environment in which the Hub is running.
    • On Linux:
      
      [monitor://\/opt\/ihub\/log.*<yourfilename>.*.log]
      host_regex = .*\/(.*?)(?=\.)
      index = <index>
      sourcetype = _json
      disabled = false
      
    • On Windows:
      
      [monitor:// C:\\Program Files\\Precisely\\Ironstream Hub\\log.*<yourfilename>.*.log]
      host_regex = .*\\(.*?)(?=\.)
      index = <index>
      sourcetype = _json
      disabled = false
      
    • In the monitor statement:
      • Check that your data is being written to the directory shown. This example assumes that it is the default ‘log’ directory. If not, change it.
      • Set <yourfilename> to the same value you will use as the ‘File identifier’ for a File Target in the Hub UI. For more information, see the Defining Target section.
    • The host_regex statement moves past the path name and extracts the first part of a file name. This provides Splunk with the host name to associate with data. For example, if you run the Hub on Linux and the full file name and path is /opt/ihub/log/MyIBM.is4idata.2024-01-26-010203-456789000.log then this will extract the string MyIBMi as the host name.
    • Save the file and restart the Splunk forwarder.
      • On Linux: Splunk installation directory/bin/splunk restart
      • On Windows: Restart the Splunk Forwarder service “splunkd” from the Windows Services utility.