- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Restarting the Splunk after updating input.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am new to Splunk and I need your guidance. We have Splunk landscape with deployment server, cluster master, 3 indexers and 2 searchheads. Recently we are getting unclassified data into syslog index and as per the requirement they should go to different index. After looking into splunk help, I have updated input.conf in deployment server with the new hosts with the index that are sending data. I need your help on what other steps are required to do this set up and restarting the splunk. One of colleagues suggested to apply bundle(?) to peers and I don't know what does it mean. Do I need to do anything in cluster master? Once done, how and where to do Splunk restart? Please help me with this.
Thanks,
Ramesh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it is coming through syslog then likely you have a Universal Forwarder somewhere running syslog-ng. Go to CLI on your DS in the $SPLUNK_HOME/etc/deployment-apps directory and find the app that contains the inputs.conf for your sourcetype. You can use a command like this:
find /opt/splunk/etc/deployment-apps -name inputs.conf -exec grep -il YourSourcetypeNameHere {} \;
Now that you know what the name of your app is (it is the directory after deployment-apps, you can go to your DS GUI under Forwarder Management and see what serverclass(es) have this app and also what hosts. These hosts are your syslog servers.
Go to your syslog servers and reconfigure syslog-ng.conf to split out your stuff. Make the associated changes to theinputs.conf in the app we just found. Reload the syslog-ng configuration changes and then do /opt/splunk/bin/splunk reload deploy-server to make your splunk changes go out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it is coming through syslog then likely you have a Universal Forwarder somewhere running syslog-ng. Go to CLI on your DS in the $SPLUNK_HOME/etc/deployment-apps directory and find the app that contains the inputs.conf for your sourcetype. You can use a command like this:
find /opt/splunk/etc/deployment-apps -name inputs.conf -exec grep -il YourSourcetypeNameHere {} \;
Now that you know what the name of your app is (it is the directory after deployment-apps, you can go to your DS GUI under Forwarder Management and see what serverclass(es) have this app and also what hosts. These hosts are your syslog servers.
Go to your syslog servers and reconfigure syslog-ng.conf to split out your stuff. Make the associated changes to theinputs.conf in the app we just found. Reload the syslog-ng configuration changes and then do /opt/splunk/bin/splunk reload deploy-server to make your splunk changes go out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks woodcock and sorry for the late response as I was on long vacation. As you mentioned (actually I forgot to mention that in my question), the logs are coming through syslog. I did the config in syslog and restarted the Syslog server and it worked. Much appreciated.
Thanks,
ramesh
Platform Newsletter Highlights | March 2023
Enterprise Security Content Updates (ESCU) - New Releases
Thought Leaders are Validating Your Hard Work and Training Rigor
