Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Conditionally 'activate' inputs?

briguy
Engager
‎08-19-2011 11:01 AM

Hi all - I'm looking for some advice on managing different combinations of inputs based on server type. For example, some files I want to index on a web server might not exist on a database server. Or, I want to index web logs from a subset of our web servers.

Right now I've addressed this issue using the deployment server, serverClass.conf, and 'applications'. I'm creating a separate application for each item I want to index, then assigning that application to each server as necessary via whitelists/blacklists. As my inputs grow this is becoming a management headache. I'd prefer to maintain a single inputs.conf file and have the forwarder determine which inputs to activate, rather than defining this logic in serverClass.conf and creating all these extra applications. Is this possible? How else could I create these different combinations of inputs?

Thanks!

Tags (3)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-21-2011 08:45 PM

The recommended way to do this would be what you're already doing, defining server classes and specifying which input apps apply to each server class. I'm not really sure that the logic or management would be any different, since somehow you have to (a) divide the forwarders into various "classes" and (b) define which inputs run on each class. This is done by using different inputs.conf files in different apps. Using something else like puppet or chef or cfengine might be preferable, but having separate files for each independently configurable item is for now the recommended approach.

Reply

balaa
Engager
‎03-22-2012 04:17 AM

Is this still the best approach?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...