topic different monitors for different hosts under the same index in Getting Data In

different monitors for different hosts under the same index

przemysaw — Tue, 02 Feb 2021 12:01:34 GMT

hi!

I have a case where I need to onboard data from different hosts and paths but under the same index. As an example, I need to onboard from server1 logfile /foo/bar1.log, and from server2 /foo/bar2.log.

If I create one app and in the inputs.conf place [monitor:///foo/bar*.log] and in the serverclass add server1 and server2, it will start to gather data from both files from both servers (I assume that they both exists on both servers).

Now, the only workaround that comes to my mind is to separate them into 2 different apps, like:

app1:

inputs.conf - [monitor:///foo/bar1.log]

serverclass: server1

app2:

inputs.conf - [monitor:///foo/bar2.log]

serverclass: server2

The question is, if it is possible to do it within one app?

Re: different monitors for different hosts under the same index

gcusello — Tue, 02 Feb 2021 12:15:11 GMT

Hi @przemysaw,

the fact that you have all data in the same index isn't relevant: an index in Splunk is a container and the only reasono to use different indexer (also for different data) are.

data retention (data with different retention values must be in different indexes);
access grants (data with different access grants must be in different indexes).

After this introduction, you can have all the data in the same index.

This is a normal problem of all the people that approach Splunk coming from database world: Splunk isn't a database and it's very different!

Then you can identify data from a server from the other using the host field that has always a value.

About the question of using one or two apps (it's better call these apps Technical Add-ons or TAs not Apps, apps are the ones on Search Heads), it depends if you have data from both the paths in both the servers and if you want to take all of them or not.

In other words:

if you want all thepaths in all the servers, you can have only one TA with both the paths in inputs.conf, otherwise you can use two TAs in diferent ServerClasses;
you can use one stanza if you have to assign to the data the same sourcetype, otherwise you have to use two stanzas, each one with its own sourcetype;
you can recognize data from a server using the host field.

Ciao.

Giuseppe

Re: different monitors for different hosts under the same index

manjunathmeti — Tue, 02 Feb 2021 12:16:56 GMT

hi @przemysaw ,

A server class is configured in serverclass.conf on the deployment server.

Yes, you can deploy the same app with the same monitor configurations on both server1 and server2.
myapp/default/inputs.conf

[monitor:///foo/bar*.log] index = index_name sourcetype = sourcetype_name

And to deploy this app on forwarder on both server1 and server2, configure server classes in serverclass.conf on deployment server and reload deployment server.

[serverClass:myserver_class] whitelist.1=client_name_of_forwarder_on_server1 whitelist.2=client_name_of_forwarder_on_server2 [serverClass:myserver_class:app:my_app]

If this reply helps you, an upvote/like would be appreciated.