Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Do we need a different inputs.conf file for Linux and Windows?

therabbit
Explorer
‎05-15-2015 10:47 AM

We have a product that runs on both Windows and Linux. Both platforms can host a Splunk forwarder, and send data to Splunk. I am developing a TA for this product, so the forwarder can be managed from a deployment servers. However, the inputs.conf is different for each platform because our data files are in different locations on each. Question: Is there a way to write a single inputs.conf file both platforms, or is it necessary to have a different inputs.conf file for each (which is what I have now).

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-15-2015 11:26 AM

You can have the same inputs.conf flie and you will get an error message saying it cant find the file on both systems.

Like this:

 [batch://c:\appId\logs\*.log]
 index=...
 disabled=0
 ...

 [batch:///opt/appId/logs/*.log]
 index=...
 disabled=0
 ...

It shouldnt hurt splunk at all, but it will be logged as error/warn on restarts etc.

0 Karma
Reply

therabbit
Explorer
‎05-17-2015 03:25 PM

Thanks for the answers. They were very helpful. I went with two TA's, one for each platform. I guess that means three Splunkbase entries. One for the app, and 2 for the TA's.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-15-2015 11:28 AM

you will find this paculiarity in splunk apps across the board. Usually you get around this issue by packaging your app with all the inputs disabled by default. Then as part of the configuration the admin should enable the correct inputs as per their environment. Below is an example of inputs.conf from the SoS app which I have modified on for use in a linux environment. By default disabled = 1 on all of these.

[script://./bin/ps_sos.sh]
interval = 15
sourcetype = ps
source = ps_sos
index = sos
disabled = 0

[script://./bin/lsof_sos.sh]
interval = 600
sourcetype = lsof
source = lsof_sos
index = sos
disabled = 0

[script://.\bin\sospowershell.cmd ps_sos.ps1]
source = ps_sos.ps1
sourcetype = ps
interval= 5
index = sos
disabled = 1 

[script://./bin/nfs-iostat_sos.py]
source = nfs-iostat_sos.py
sourcetype = nfs-iostat_sos
passAuth = splunk-system-user
interval = 5
index = sos
disabled = 1

Note the Power Shell for windows and the other scripts for linux platforms.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-15-2015 11:32 AM

And for that matter, you see how they do ./bin/ps_sos.sh? what that will do is make it use the bin folder in the SOS app's directory. So you could further simplify to this:

  #windows batch
  [batch://.\logs\*.log]
  index=...
  disabled=0
  ...

 #linux batch
  [batch://./logs/*.log]
  index=...
  disabled=0
  ...
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-15-2015 11:41 AM

And finally for even more granularity you could create both a windows and a linux version of your app. See Unix TA and Windows TA for examples of that approach. Then you can use a deployment server to make sure everyone gets the correct app.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...