Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Do Splunk allow multiple inputs.conf in different App?

michael_wong
Path Finder
‎07-18-2021 10:12 PM

Hello,

 

We have two deployment-App, named A and B.  They both have inputs.conf to monitor path /log/A and /log/B.

If I use deployment server to push either A or B, it works fine. But If I push both A and B to the clients, only App path /log/A or /log/B is being monitored.

Is this because two app's inputs.conf are located in /default folder?

 

Thanks,

Mike

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-19-2021 12:01 AM

hi @michael_wong,

you can have many inputs.conf in your Forwarders, but only one for each app.

The real problem is that Splunk ingest logs from one file only one time, so (as @venkatasri  said), if each your inputs.confs address different logs you haven't any problem.

Instead you will surely have problems if two or more inputs.confs address the same log file, because that log will be indexed only one time.

So you have to analize your inputs to avoid this.

you can use the btool command to list all the active inputs.conf:

./splunk btools inputs list -debug

or (better) plan your inputs using a sheet.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-19-2021 12:01 AM

hi @michael_wong,

you can have many inputs.conf in your Forwarders, but only one for each app.

The real problem is that Splunk ingest logs from one file only one time, so (as @venkatasri  said), if each your inputs.confs address different logs you haven't any problem.

Instead you will surely have problems if two or more inputs.confs address the same log file, because that log will be indexed only one time.

So you have to analize your inputs to avoid this.

you can use the btool command to list all the active inputs.conf:

./splunk btools inputs list -debug

or (better) plan your inputs using a sheet.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-22-2021 05:31 AM

Hi @michael_wong,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎07-18-2021 10:27 PM

Hi @michael_wong 

Yes it does allows many inputs.conf under various apps, technically you are trying to monitor two different log files/A and /B hence should be ok.

Can you issue following command on UF and see what files being monitored when you push both the apps.

./splunk list inputstatus

--

An upvote would be appreciated and Accept solution if this reply helps!

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...