We have a product that runs on both Windows and Linux. Both platforms can host a Splunk forwarder, and send data to Splunk. I am developing a TA for this product, so the forwarder can be managed from a deployment servers. However, the inputs.conf is different for each platform because our data files are in different locations on each. Question: Is there a way to write a single inputs.conf file both platforms, or is it necessary to have a different inputs.conf file for each (which is what I have now).
You can have the same inputs.conf flie and you will get an error message saying it cant find the file on both systems.
[batch://c:\appId\logs\*.log] index=... disabled=0 ... [batch:///opt/appId/logs/*.log] index=... disabled=0 ...
It shouldnt hurt splunk at all, but it will be logged as error/warn on restarts etc.
you will find this paculiarity in splunk apps across the board. Usually you get around this issue by packaging your app with all the inputs disabled by default. Then as part of the configuration the admin should enable the correct inputs as per their environment. Below is an example of inputs.conf from the SoS app which I have modified on for use in a linux environment. By default disabled = 1 on all of these.
[script://./bin/ps_sos.sh] interval = 15 sourcetype = ps source = ps_sos index = sos disabled = 0 [script://./bin/lsof_sos.sh] interval = 600 sourcetype = lsof source = lsof_sos index = sos disabled = 0 [script://.\bin\sospowershell.cmd ps_sos.ps1] source = ps_sos.ps1 sourcetype = ps interval= 5 index = sos disabled = 1 [script://./bin/nfs-iostat_sos.py] source = nfs-iostat_sos.py sourcetype = nfs-iostat_sos passAuth = splunk-system-user interval = 5 index = sos disabled = 1
Note the Power Shell for windows and the other scripts for linux platforms.
And for that matter, you see how they do ./bin/ps_sos.sh? what that will do is make it use the bin folder in the SOS app's directory. So you could further simplify to this:
#windows batch [batch://.\logs\*.log] index=... disabled=0 ... #linux batch [batch://./logs/*.log] index=... disabled=0 ...
And finally for even more granularity you could create both a windows and a linux version of your app. See Unix TA and Windows TA for examples of that approach. Then you can use a deployment server to make sure everyone gets the correct app.