Getting Data In

Do Splunk allow multiple inputs.conf in different App?

michael_wong
Path Finder

Hello,

 

We have two deployment-App, named A and B.  They both have inputs.conf to monitor path /log/A and /log/B.

If I use deployment server to push either A or B, it works fine. But If I push both A and B to the clients, only App path /log/A or /log/B is being monitored.

Is this because two app's inputs.conf are located in /default folder?

 

Thanks,

Mike

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

hi @michael_wong,

you can have many inputs.conf in your Forwarders, but only one for each app.

The real problem is that Splunk ingest logs from one file only one time, so (as @venkatasri  said), if each your inputs.confs address different logs you haven't any problem.

Instead you will surely have problems if two or more inputs.confs address the same log file, because that log will be indexed only one time.

So you have to analize your inputs to avoid this.

you can use the btool command to list all the active inputs.conf:

./splunk btools inputs list -debug

or (better) plan your inputs using a sheet.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @michael_wong,

you can have many inputs.conf in your Forwarders, but only one for each app.

The real problem is that Splunk ingest logs from one file only one time, so (as @venkatasri  said), if each your inputs.confs address different logs you haven't any problem.

Instead you will surely have problems if two or more inputs.confs address the same log file, because that log will be indexed only one time.

So you have to analize your inputs to avoid this.

you can use the btool command to list all the active inputs.conf:

./splunk btools inputs list -debug

or (better) plan your inputs using a sheet.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @michael_wong,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @michael_wong 

Yes it does allows many inputs.conf under various apps, technically you are trying to monitor two different log files/A and /B hence should be ok.

Can you issue following command on UF and see what files being monitored when you push both the apps.

./splunk list inputstatus

--

An upvote would be appreciated and Accept solution if this reply helps!

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...