Getting Data In

Conditionally 'activate' inputs?


Hi all - I'm looking for some advice on managing different combinations of inputs based on server type. For example, some files I want to index on a web server might not exist on a database server. Or, I want to index web logs from a subset of our web servers.

Right now I've addressed this issue using the deployment server, serverClass.conf, and 'applications'. I'm creating a separate application for each item I want to index, then assigning that application to each server as necessary via whitelists/blacklists. As my inputs grow this is becoming a management headache. I'd prefer to maintain a single inputs.conf file and have the forwarder determine which inputs to activate, rather than defining this logic in serverClass.conf and creating all these extra applications. Is this possible? How else could I create these different combinations of inputs?


Tags (3)

Splunk Employee
Splunk Employee

The recommended way to do this would be what you're already doing, defining server classes and specifying which input apps apply to each server class. I'm not really sure that the logic or management would be any different, since somehow you have to (a) divide the forwarders into various "classes" and (b) define which inputs run on each class. This is done by using different inputs.conf files in different apps. Using something else like puppet or chef or cfengine might be preferable, but having separate files for each independently configurable item is for now the recommended approach.


Is this still the best approach?

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...