Getting Data In

Do Splunk allow multiple inputs.conf in different App?

michael_wong
Path Finder

Hello,

 

We have two deployment-App, named A and B.  They both have inputs.conf to monitor path /log/A and /log/B.

If I use deployment server to push either A or B, it works fine. But If I push both A and B to the clients, only App path /log/A or /log/B is being monitored.

Is this because two app's inputs.conf are located in /default folder?

 

Thanks,

Mike

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

hi @michael_wong,

you can have many inputs.conf in your Forwarders, but only one for each app.

The real problem is that Splunk ingest logs from one file only one time, so (as @venkatasri  said), if each your inputs.confs address different logs you haven't any problem.

Instead you will surely have problems if two or more inputs.confs address the same log file, because that log will be indexed only one time.

So you have to analize your inputs to avoid this.

you can use the btool command to list all the active inputs.conf:

./splunk btools inputs list -debug

or (better) plan your inputs using a sheet.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @michael_wong,

you can have many inputs.conf in your Forwarders, but only one for each app.

The real problem is that Splunk ingest logs from one file only one time, so (as @venkatasri  said), if each your inputs.confs address different logs you haven't any problem.

Instead you will surely have problems if two or more inputs.confs address the same log file, because that log will be indexed only one time.

So you have to analize your inputs to avoid this.

you can use the btool command to list all the active inputs.conf:

./splunk btools inputs list -debug

or (better) plan your inputs using a sheet.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @michael_wong,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @michael_wong 

Yes it does allows many inputs.conf under various apps, technically you are trying to monitor two different log files/A and /B hence should be ok.

Can you issue following command on UF and see what files being monitored when you push both the apps.

./splunk list inputstatus

--

An upvote would be appreciated and Accept solution if this reply helps!

 

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...