Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dealing with inputs.conf and lightweight forwarders...

tmeader
Contributor
‎12-09-2010 07:43 PM

To be clear, I've already received official responses from Splunk support on this topic (just in case they feel inclined to follow-up on here), but what I'm looking for now is verification of these processes. Likewise, what's their experience in migrating, and how much of a hassle has it been whenever new "apps" are installed/modified on your installation? Thanks.

We are currently using a single splunk indexer/search head that reads its inputs via NFS mounts on a remote log server. To improve performance, we're moving to a distributed search architecture (load balanced), and so the data will now be sent out from a light-weight forwarder (LWF) instance running directly on the log server itself. One potential problem that we've identified, and don't really see addressed in the docs anywhere, is that any separate inputs.conf files from installed apps need to be addressed somehow on the LWF.

Will those apps have to also be installed on the LWF just so that it's aware of the inputs defined in those files? Or should the inputs.conf files be somehow merged when placing them on the LWF. As an example:

  • Splunk has the existing SPLUNK_HOME/etc/system/local/inputs.conf file... which will be moved to the LWF
  • Splunk also has the app "OSSEC" installed under SPLUNK_HOME/etc/apps/ossec, which within contains the file SPLUNK_HOME/etc/apps/ossec/local/inputs.conf. Does this entire app need to be installed on the LWF to work properly, or should the contents of the ossec/local/inputs.conf be manually merged with system/local/inputs.conf prior to it getting migrated?

If it's the latter, that could become a bit of a hassle (but obviously still doable) to keep up with.

Anyone care to share if this is also their experience? And what the best method is when migrating and then keeping everything in sync going forward? Thanks in advance.

Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎12-10-2010 07:25 AM

I recommend you read my answer here on a similar question: http://answers.splunk.com/questions/4559/best-practices-for-installing-and-configuring-apps-in-a-dis...

Related background material that may be useful in enriching understanding of the answer is: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...