Getting Data In

Can I add additional monitor stanzas on an indexers inputs.conf?

lhanich1
Path Finder

In my indexers inputs.conf we have the standard stanza in place for receiving inbound logs from forwarders.

[splunktcp://9997]
disabled = 0

Am I able to add additional stanza(s) to the inputs.conf so I can properly identify and index logs that are being sent via syslog to the indexer (due to the logs belonging to SaaS or an appliance and can't have a forwarder installed)

i.e.

[tcp://10.1.1.1:9997]
index=windows
source=10.1.1.1

Thanks

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @lhanich1,
you, can add all the input stanzas you want, there's only the limitation that via GUI you cannot use the same port for more stanzas, but you can do it by conf file.

You can configure different ways to differentiate logs:

  • different ports to have different sourcetypes for each class of appliances,
  • only one port and one sourcetype with override of the sourcetype based on syslog content,
  • a mix of them.

The important thing is to recognize sourcetype to correctly configure knowledge objects (fields, tags, etc...)

Only one Hint (if possible) if you have a distributed architecture (more Indexers, more Search Heads, etc...), in other words, if you haven't an All-In-One server, don' use Indexer to ingest syslogs, because during Indexers maintenance, you lose your syslogs.
The better architecture to ingest syslogs is to have two Heavy Forwarders (Full Splunk Enterprise instances that forward all the logs to Indexers) and a Load Balancer that manage load balancing and fail over (if you haven't a Load balancer, you can also use DNS for this): in this way you're sure to ingest syslogs also during Indexers maintenance or fail over.

Ciao.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @lhanich1,
you, can add all the input stanzas you want, there's only the limitation that via GUI you cannot use the same port for more stanzas, but you can do it by conf file.

You can configure different ways to differentiate logs:

  • different ports to have different sourcetypes for each class of appliances,
  • only one port and one sourcetype with override of the sourcetype based on syslog content,
  • a mix of them.

The important thing is to recognize sourcetype to correctly configure knowledge objects (fields, tags, etc...)

Only one Hint (if possible) if you have a distributed architecture (more Indexers, more Search Heads, etc...), in other words, if you haven't an All-In-One server, don' use Indexer to ingest syslogs, because during Indexers maintenance, you lose your syslogs.
The better architecture to ingest syslogs is to have two Heavy Forwarders (Full Splunk Enterprise instances that forward all the logs to Indexers) and a Load Balancer that manage load balancing and fail over (if you haven't a Load balancer, you can also use DNS for this): in this way you're sure to ingest syslogs also during Indexers maintenance or fail over.

Ciao.
Giuseppe

0 Karma

lhanich1
Path Finder

My main concern is affecting the

[splunktcp://9997]
disabled = 0

My instincts suggests my initial question would work

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...