https://community.splunk.com/t5/Getting-Data-In/Conditional-Input-conf-setting/m-p/529040#M89154 <P>All,&nbsp;</P><P>I have about 200 machines with UF installed. I want to monitor bash_history and a few other Linux /home items. The challenge is on about half the machines the home directory is an NFS mount and the other half are local file system.&nbsp; Monitoring the NFS every every end point is IO prohibitive and double indexes the same data.&nbsp;</P><P>Is there a way in Splunk to programmatically handle this? That is, I only need to gather the files/logs from one host if it's mounted from NFS but if it's local file system I need to run the input on each machine.&nbsp;</P><P>Any recommendations? I was thinking of writing a script input in a Splunk app that creates and manages an app in the UF app folder. But seems very clunky.&nbsp;</P> Wed, 11 Nov 2020 20:36:26 GMT daniel333 2020-11-11T20:36:26Z https://community.splunk.com/t5/Getting-Data-In/Conditional-Input-conf-setting/m-p/529040#M89154 <P>All,&nbsp;</P><P>I have about 200 machines with UF installed. I want to monitor bash_history and a few other Linux /home items. The challenge is on about half the machines the home directory is an NFS mount and the other half are local file system.&nbsp; Monitoring the NFS every every end point is IO prohibitive and double indexes the same data.&nbsp;</P><P>Is there a way in Splunk to programmatically handle this? That is, I only need to gather the files/logs from one host if it's mounted from NFS but if it's local file system I need to run the input on each machine.&nbsp;</P><P>Any recommendations? I was thinking of writing a script input in a Splunk app that creates and manages an app in the UF app folder. But seems very clunky.&nbsp;</P> Wed, 11 Nov 2020 20:36:26 GMT https://community.splunk.com/t5/Getting-Data-In/Conditional-Input-conf-setting/m-p/529040#M89154 daniel333 2020-11-11T20:36:26Z https://community.splunk.com/t5/Getting-Data-In/Conditional-Input-conf-setting/m-p/529046#M89157 <P>There are not programmatic settings in inputs.conf or any other Splunk config file.</P><P>If you use a third-part tool like Ansible to manage your UFs then your script idea might work&nbsp; It would be even better if Ansible could make the NFS-is-used decision and selectively install your input app.</P><P>If you use the Splunk deployment server to manage UFs then don't manipulate the app locally.&nbsp; That will cause the UF to re-install the app from the DS.</P> Wed, 11 Nov 2020 21:47:27 GMT https://community.splunk.com/t5/Getting-Data-In/Conditional-Input-conf-setting/m-p/529046#M89157 richgalloway 2020-11-11T21:47:27Z