Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Do Splunk allow multiple inputs.conf in different App?

michael_wong
Path Finder
‎07-18-2021 10:12 PM

Hello,

 

We have two deployment-App, named A and B.  They both have inputs.conf to monitor path /log/A and /log/B.

If I use deployment server to push either A or B, it works fine. But If I push both A and B to the clients, only App path /log/A or /log/B is being monitored.

Is this because two app's inputs.conf are located in /default folder?

 

Thanks,

Mike

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-19-2021 12:01 AM

hi @michael_wong,

you can have many inputs.conf in your Forwarders, but only one for each app.

The real problem is that Splunk ingest logs from one file only one time, so (as @venkatasri  said), if each your inputs.confs address different logs you haven't any problem.

Instead you will surely have problems if two or more inputs.confs address the same log file, because that log will be indexed only one time.

So you have to analize your inputs to avoid this.

you can use the btool command to list all the active inputs.conf:

./splunk btools inputs list -debug

or (better) plan your inputs using a sheet.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-19-2021 12:01 AM

hi @michael_wong,

you can have many inputs.conf in your Forwarders, but only one for each app.

The real problem is that Splunk ingest logs from one file only one time, so (as @venkatasri  said), if each your inputs.confs address different logs you haven't any problem.

Instead you will surely have problems if two or more inputs.confs address the same log file, because that log will be indexed only one time.

So you have to analize your inputs to avoid this.

you can use the btool command to list all the active inputs.conf:

./splunk btools inputs list -debug

or (better) plan your inputs using a sheet.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-22-2021 05:31 AM

Hi @michael_wong,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎07-18-2021 10:27 PM

Hi @michael_wong 

Yes it does allows many inputs.conf under various apps, technically you are trying to monitor two different log files/A and /B hence should be ok.

Can you issue following command on UF and see what files being monitored when you push both the apps.

./splunk list inputstatus

--

An upvote would be appreciated and Accept solution if this reply helps!

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...