All Apps and Add-ons

Splunk app ingesting excess data

roberteves
Explorer

Hi all, somewhat new to Splunk, hopefully I'll describe the issue well...

I've setup a deployment app to forward logs from an (non-splunk) application for which there is no current app on Splunkbase. I configured the index and log file locatiosn to go to the index oempi. I configured a specific server class for these servers.

I also have a server class for Splunk App for *nix which has these servers as well as other Linux servers used for other purposes. That app is configured to send data to the os index.

For some reason I'm getting all the data from the Splunk App for *nix in the oempi index  as well as the os index.

Below are the settings for the two apps:

 

 

 

head Splunk_TA_nix/local/inputs.conf
# Copyright (C) 2020 Splunk Inc. All Rights Reserved.
[default]
index = os

[script://./bin/vmstat.sh]
interval = 60
sourcetype = vmstat
source = vmstat
disabled = 1

 

 

 

 

 

head OpenEMPI/local/inputs.conf
[default]
index = oempi

[monitor:///sysnet/openempi/openempi-3.5.7/logs]
whitelist=(\.log|\.out|\.txt)
disabled = 0

[monitor:///sysnet/openempi/openempi-3.5.7/openempi-entity-3.5.7/logs]
whitelist=(\.log)
disabled = 0

 

 

Labels (2)
0 Karma
1 Solution

hmallett
Path Finder

Where you have a [default] stanza in each inputs.conf, those stanzas are not scoped to the inputs.conf file. Instead all the inputs.conf files are aggregated, and only one of the [default] stanzas "wins". (Configuration file order precedence is documented here)

I would expect your inputs.confs to look like:

[script://./bin/vmstat.sh]
index = os
interval = 60
sourcetype = vmstat
source = vmstat
disabled = 1

and

[monitor:///sysnet/openempi/openempi-3.5.7/logs]
index = oempi
whitelist=(\.log|\.out|\.txt)
disabled = 0

[monitor:///sysnet/openempi/openempi-3.5.7/openempi-entity-3.5.7/logs]
index = oempi
whitelist=(\.log)
disabled = 0

 

View solution in original post

hmallett
Path Finder

Where you have a [default] stanza in each inputs.conf, those stanzas are not scoped to the inputs.conf file. Instead all the inputs.conf files are aggregated, and only one of the [default] stanzas "wins". (Configuration file order precedence is documented here)

I would expect your inputs.confs to look like:

[script://./bin/vmstat.sh]
index = os
interval = 60
sourcetype = vmstat
source = vmstat
disabled = 1

and

[monitor:///sysnet/openempi/openempi-3.5.7/logs]
index = oempi
whitelist=(\.log|\.out|\.txt)
disabled = 0

[monitor:///sysnet/openempi/openempi-3.5.7/openempi-entity-3.5.7/logs]
index = oempi
whitelist=(\.log)
disabled = 0

 

roberteves
Explorer

Sorry for the delay, I was thinking it might be something like that. Making those changes resolved the issue. Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try to run btool on your forwarder to see what type of monitoring config is active.

 

$Splunk_home/bin/splunk btool inputs list --debug
Tags (1)
0 Karma

roberteves
Explorer

Thanks, I'm not really familiar with the output from that, but I do see this:

 

/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf              [monitor:///var/log]
/opt/splunkforwarder/etc/system/default/inputs.conf                        _rcvbuf = 1572864
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf              blacklist = (lastlog|anaconda\.syslog|audit\.log.*)
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf              disabled = 0
/opt/splunkforwarder/etc/system/local/inputs.conf                          host = <my host>
/opt/splunkforwarder/etc/apps/OpenEMPI/local/inputs.conf                   index = oempi
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf              whitelist = (\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)

 

 

Why would it be combining the configuration from those two apps? I understand system defaults may be used where they're not specified in an app, but I expected these to be two separate apps and the configuration for either wouldn't affect the other

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...