Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I add additional monitor stanzas on an indexers inputs.conf?

lhanich1
Path Finder
‎01-28-2020 08:45 PM

In my indexers inputs.conf we have the standard stanza in place for receiving inbound logs from forwarders.

[splunktcp://9997]
disabled = 0

Am I able to add additional stanza(s) to the inputs.conf so I can properly identify and index logs that are being sent via syslog to the indexer (due to the logs belonging to SaaS or an appliance and can't have a forwarder installed)

i.e.

[tcp://10.1.1.1:9997]
index=windows
source=10.1.1.1

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-28-2020 11:19 PM

Hi @lhanich1,
you, can add all the input stanzas you want, there's only the limitation that via GUI you cannot use the same port for more stanzas, but you can do it by conf file.

You can configure different ways to differentiate logs:

  • different ports to have different sourcetypes for each class of appliances,
  • only one port and one sourcetype with override of the sourcetype based on syslog content,
  • a mix of them.

The important thing is to recognize sourcetype to correctly configure knowledge objects (fields, tags, etc...)

Only one Hint (if possible) if you have a distributed architecture (more Indexers, more Search Heads, etc...), in other words, if you haven't an All-In-One server, don' use Indexer to ingest syslogs, because during Indexers maintenance, you lose your syslogs.
The better architecture to ingest syslogs is to have two Heavy Forwarders (Full Splunk Enterprise instances that forward all the logs to Indexers) and a Load Balancer that manage load balancing and fail over (if you haven't a Load balancer, you can also use DNS for this): in this way you're sure to ingest syslogs also during Indexers maintenance or fail over.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-28-2020 11:19 PM

Hi @lhanich1,
you, can add all the input stanzas you want, there's only the limitation that via GUI you cannot use the same port for more stanzas, but you can do it by conf file.

You can configure different ways to differentiate logs:

  • different ports to have different sourcetypes for each class of appliances,
  • only one port and one sourcetype with override of the sourcetype based on syslog content,
  • a mix of them.

The important thing is to recognize sourcetype to correctly configure knowledge objects (fields, tags, etc...)

Only one Hint (if possible) if you have a distributed architecture (more Indexers, more Search Heads, etc...), in other words, if you haven't an All-In-One server, don' use Indexer to ingest syslogs, because during Indexers maintenance, you lose your syslogs.
The better architecture to ingest syslogs is to have two Heavy Forwarders (Full Splunk Enterprise instances that forward all the logs to Indexers) and a Load Balancer that manage load balancing and fail over (if you haven't a Load balancer, you can also use DNS for this): in this way you're sure to ingest syslogs also during Indexers maintenance or fail over.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

lhanich1
Path Finder
‎01-28-2020 09:16 PM

My main concern is affecting the

[splunktcp://9997]
disabled = 0

My instincts suggests my initial question would work

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...