Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Do Splunk allow multiple inputs.conf in different App?

michael_wong
Path Finder
‎07-18-2021 10:12 PM

Hello,

 

We have two deployment-App, named A and B.  They both have inputs.conf to monitor path /log/A and /log/B.

If I use deployment server to push either A or B, it works fine. But If I push both A and B to the clients, only App path /log/A or /log/B is being monitored.

Is this because two app's inputs.conf are located in /default folder?

 

Thanks,

Mike

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-19-2021 12:01 AM

hi @michael_wong,

you can have many inputs.conf in your Forwarders, but only one for each app.

The real problem is that Splunk ingest logs from one file only one time, so (as @venkatasri  said), if each your inputs.confs address different logs you haven't any problem.

Instead you will surely have problems if two or more inputs.confs address the same log file, because that log will be indexed only one time.

So you have to analize your inputs to avoid this.

you can use the btool command to list all the active inputs.conf:

./splunk btools inputs list -debug

or (better) plan your inputs using a sheet.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-19-2021 12:01 AM

hi @michael_wong,

you can have many inputs.conf in your Forwarders, but only one for each app.

The real problem is that Splunk ingest logs from one file only one time, so (as @venkatasri  said), if each your inputs.confs address different logs you haven't any problem.

Instead you will surely have problems if two or more inputs.confs address the same log file, because that log will be indexed only one time.

So you have to analize your inputs to avoid this.

you can use the btool command to list all the active inputs.conf:

./splunk btools inputs list -debug

or (better) plan your inputs using a sheet.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-22-2021 05:31 AM

Hi @michael_wong,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎07-18-2021 10:27 PM

Hi @michael_wong 

Yes it does allows many inputs.conf under various apps, technically you are trying to monitor two different log files/A and /B hence should be ok.

Can you issue following command on UF and see what files being monitored when you push both the apps.

./splunk list inputstatus

--

An upvote would be appreciated and Accept solution if this reply helps!

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...
Top