Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk app ingesting excess data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, somewhat new to Splunk, hopefully I'll describe the issue well...
I've setup a deployment app to forward logs from an (non-splunk) application for which there is no current app on Splunkbase. I configured the index and log file locatiosn to go to the index oempi. I configured a specific server class for these servers.
I also have a server class for Splunk App for *nix which has these servers as well as other Linux servers used for other purposes. That app is configured to send data to the os index.
For some reason I'm getting all the data from the Splunk App for *nix in the oempi index as well as the os index.
Below are the settings for the two apps:
head Splunk_TA_nix/local/inputs.conf
# Copyright (C) 2020 Splunk Inc. All Rights Reserved.
[default]
index = os
[script://./bin/vmstat.sh]
interval = 60
sourcetype = vmstat
source = vmstat
disabled = 1
head OpenEMPI/local/inputs.conf
[default]
index = oempi
[monitor:///sysnet/openempi/openempi-3.5.7/logs]
whitelist=(\.log|\.out|\.txt)
disabled = 0
[monitor:///sysnet/openempi/openempi-3.5.7/openempi-entity-3.5.7/logs]
whitelist=(\.log)
disabled = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where you have a [default] stanza in each inputs.conf, those stanzas are not scoped to the inputs.conf file. Instead all the inputs.conf files are aggregated, and only one of the [default] stanzas "wins". (Configuration file order precedence is documented here)
I would expect your inputs.confs to look like:
[script://./bin/vmstat.sh]
index = os
interval = 60
sourcetype = vmstat
source = vmstat
disabled = 1and
[monitor:///sysnet/openempi/openempi-3.5.7/logs]
index = oempi
whitelist=(\.log|\.out|\.txt)
disabled = 0
[monitor:///sysnet/openempi/openempi-3.5.7/openempi-entity-3.5.7/logs]
index = oempi
whitelist=(\.log)
disabled = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where you have a [default] stanza in each inputs.conf, those stanzas are not scoped to the inputs.conf file. Instead all the inputs.conf files are aggregated, and only one of the [default] stanzas "wins". (Configuration file order precedence is documented here)
I would expect your inputs.confs to look like:
[script://./bin/vmstat.sh]
index = os
interval = 60
sourcetype = vmstat
source = vmstat
disabled = 1and
[monitor:///sysnet/openempi/openempi-3.5.7/logs]
index = oempi
whitelist=(\.log|\.out|\.txt)
disabled = 0
[monitor:///sysnet/openempi/openempi-3.5.7/openempi-entity-3.5.7/logs]
index = oempi
whitelist=(\.log)
disabled = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the delay, I was thinking it might be something like that. Making those changes resolved the issue. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try to run btool on your forwarder to see what type of monitoring config is active.
$Splunk_home/bin/splunk btool inputs list --debug- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I'm not really familiar with the output from that, but I do see this:
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf [monitor:///var/log]
/opt/splunkforwarder/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf blacklist = (lastlog|anaconda\.syslog|audit\.log.*)
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf disabled = 0
/opt/splunkforwarder/etc/system/local/inputs.conf host = <my host>
/opt/splunkforwarder/etc/apps/OpenEMPI/local/inputs.conf index = oempi
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf whitelist = (\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
Why would it be combining the configuration from those two apps? I understand system defaults may be used where they're not specified in an app, but I expected these to be two separate apps and the configuration for either wouldn't affect the other
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
