Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Conditionally 'activate' inputs?

briguy
Engager
‎08-19-2011 11:01 AM

Hi all - I'm looking for some advice on managing different combinations of inputs based on server type. For example, some files I want to index on a web server might not exist on a database server. Or, I want to index web logs from a subset of our web servers.

Right now I've addressed this issue using the deployment server, serverClass.conf, and 'applications'. I'm creating a separate application for each item I want to index, then assigning that application to each server as necessary via whitelists/blacklists. As my inputs grow this is becoming a management headache. I'd prefer to maintain a single inputs.conf file and have the forwarder determine which inputs to activate, rather than defining this logic in serverClass.conf and creating all these extra applications. Is this possible? How else could I create these different combinations of inputs?

Thanks!

Tags (3)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-21-2011 08:45 PM

The recommended way to do this would be what you're already doing, defining server classes and specifying which input apps apply to each server class. I'm not really sure that the logic or management would be any different, since somehow you have to (a) divide the forwarders into various "classes" and (b) define which inputs run on each class. This is done by using different inputs.conf files in different apps. Using something else like puppet or chef or cfengine might be preferable, but having separate files for each independently configurable item is for now the recommended approach.

Reply

balaa
Engager
‎03-22-2012 04:17 AM

Is this still the best approach?

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...