How to know what inputs.conf a given event came from?

neiljpeterson — Mon, 07 Apr 2014 19:00:23 GMT

So if you have any reasonably complicated deployment, likely you have a fair number of inputs.conf that your UF is reading.

If you are trying to change a field on given event that is being forwarded... like say a log that needs a different sourcetype... and you want to change that stanza from the appropriate input.conf how do you know which one to change? Is the only way to do a search of the content of the file? Trounle is, it is not always clear what stanza and in which file caused an event to be forwarded.

Much like "source" which tells you exactly what file the data came from, I was thinking about adding a "conf" field to show exactly which inputs.conf had forwarded on this particular event.

So how is this sort of thing tracked in a large scale environment according to best practices?

Re: How to know what inputs.conf a given event came from?

yannK — Mon, 07 Apr 2014 19:14:09 GMT

The beauty and curse of the conf file is that they all stack.
if you found the correct source, but have several inputs matching it, the best solution is run a btool and check how they merge.

./splunk cmd btool inputs list --debug

topic Re: How to know what inputs.conf a given event came from? in Getting Data In

How to know what inputs.conf a given event came from?

Re: How to know what inputs.conf a given event came from?