Hub file targets write data, to the Log Directory, as a JSON formatted field and value pair, meaning any of the files created can be forwarded to Splunk via a Splunk Forwarder.
The filename will include the name of the Source that is being monitored followed by a creation date/time and the suffix of the file. The Splunk Forwarder will require an inputs.conf file to be configured so that it knows where the files are for forwarding and what files should be forwarded.
To install the forwarder software on the Splunk forwarding server and connect it to the server or indexer refer to the
Splunk documentation. After installation, follow these example steps after installation to add the files created by the Hub to the list of Sources for the forwarder:
-
Edit the inputs.conf file in this directory:
-
On Linux:
/Splunk installation directory/etc/system/local/
-
On Windows:
\Splunk installation directory\etc\system\local\
Note: Create a new inputs.conf file in this directory if it does not already exist.
-
Add and edit these lines to the end of inputs.conf. These examples assume you are using the default file locations.
Important: Make sure to use the appropriate \ or / for the environment in which the Hub is running.
-
On Linux:
[monitor://\/opt\/ihub\/log.*<yourfilename>.*.log]
host_regex = .*\/(.*?)(?=\.)
index = <index>
sourcetype = _json
disabled = false
-
On Windows:
[monitor:// C:\\Program Files\\Precisely\\Ironstream Hub\\log.*<yourfilename>.*.log]
host_regex = .*\\(.*?)(?=\.)
index = <index>
sourcetype = _json
disabled = false
- In the monitor statement:
- Check that your data is being written to the directory shown. This example assumes that it is the default ‘log’ directory. If not, change it.
- Set <yourfilename> to the same value you will use as the ‘File identifier’ for a File Target in the Hub UI. For more information, see the Defining Target section.
- The host_regex statement moves past the path name and extracts the first part of a file name. This provides Splunk with the host name to associate with data. For example, if you run the Hub on Linux and the full file name and path is /opt/ihub/log/MyIBM.is4idata.2024-01-26-010203-456789000.log then this will extract the string MyIBMi as the host name.
- Save the file and restart the Splunk forwarder.
- On Linux: Splunk installation directory/bin/splunk restart
- On Windows: Restart the Splunk Forwarder service “splunkd” from the Windows Services utility.