I have a new installation of Splunk (v-4.2.4) up and running and am starting to use the deployment server.
I have one test client and have installed the univeral forwarder in /opt/splunkforwarder
Connectivity is up and running and the client is showing up in the deployment monitor as active.
I've created a new deployment-app (linux-base) and have successfully deployed it to the aforementioned client. It shows up in /opt/splunkforwarder/etc/apps/linux-base and consists of an inputs.conf that is fairly basic as I just want to capture information from /var/log
Here is inputs.conf
[monitor:///var/log] disabled=false followTail = 1 recursive = true index = amz blacklist = (\.gz$|\.tgz$|faillog|wtmp|lastlog|core|audit|[0-9]$|store.log$)
Now here is the problem: I never see any info from /var/log. It doesn't appear to be processed at all?
I verified this by running
./splunk btool inputs list and have confirmed that I'm only seeing the $Splunk_Home data. Which is what is defined by
What I'm not sure about is why it doesn't see the configuration I've defined in the app I deployed? Shouldn't it pick up the alterate inputs.conf and forward the info to the indexer as defined by the
Any help is greatly appreciated!
Did you configure the forwarder to send the data to the Indexer with the outputs.conf? Did you enable data recieving on the indexer? I'm no expert, but you may need to define a whitelist for what logs you do want. Maybe a "whitelist=*" since you appear to blacklist everything you don't want already? The following is an exerpt for a forwarder I use:
[monitor:///var/log] whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out) blacklist=(lastlog) index=linuxserver disabled = 0
You may want to ship a couple of additional files in your app, and double-check your
In my inputs-only apps, I always ship a
default/app.conf with these minimum settings:
[install] state=enabled is_configured=true [ui] is_visible=false is_manageable=false
I ship an (empty)
local/app.conf as well. (Which is probably not necessary).
And, back on the deployment server, make sure these two settings are set for the app in question:
Also, make sure that when assembling your app, you follow the Splunk pattern for these apps. All
*.conf files need to be in either
local/ -- otherwise Splunk won't parse them into the configuration.
Cool. I updated the actual answer with that tidbit of advice. If you don't mind, please click the "accept answer" checkbox to the left so the answers system will treat this as "answered". Thanks.
Kate - so,
btool still doesn't show your input as being part of the overall splunk configuration? Is your
inputs.conf in either the
local directory of your deployed app?
Thanks dwaddle! I made those changes and sent out the updated deployment and everything is updated. However I still don't see any of the /var/log data being processed just the $Splunk_Home data under /opt/splunk....