Getting Data In

Do we need a different inputs.conf file for Linux and Windows?

Explorer

We have a product that runs on both Windows and Linux. Both platforms can host a Splunk forwarder, and send data to Splunk. I am developing a TA for this product, so the forwarder can be managed from a deployment servers. However, the inputs.conf is different for each platform because our data files are in different locations on each. Question: Is there a way to write a single inputs.conf file both platforms, or is it necessary to have a different inputs.conf file for each (which is what I have now).

0 Karma

SplunkTrust
SplunkTrust

You can have the same inputs.conf flie and you will get an error message saying it cant find the file on both systems.

Like this:

 [batch://c:\appId\logs\*.log]
 index=...
 disabled=0
 ...

 [batch:///opt/appId/logs/*.log]
 index=...
 disabled=0
 ...

It shouldnt hurt splunk at all, but it will be logged as error/warn on restarts etc.

0 Karma

Explorer

Thanks for the answers. They were very helpful. I went with two TA's, one for each platform. I guess that means three Splunkbase entries. One for the app, and 2 for the TA's.

0 Karma

SplunkTrust
SplunkTrust

you will find this paculiarity in splunk apps across the board. Usually you get around this issue by packaging your app with all the inputs disabled by default. Then as part of the configuration the admin should enable the correct inputs as per their environment. Below is an example of inputs.conf from the SoS app which I have modified on for use in a linux environment. By default disabled = 1 on all of these.

[script://./bin/ps_sos.sh]
interval = 15
sourcetype = ps
source = ps_sos
index = sos
disabled = 0

[script://./bin/lsof_sos.sh]
interval = 600
sourcetype = lsof
source = lsof_sos
index = sos
disabled = 0

[script://.\bin\sospowershell.cmd ps_sos.ps1]
source = ps_sos.ps1
sourcetype = ps
interval= 5
index = sos
disabled = 1 

[script://./bin/nfs-iostat_sos.py]
source = nfs-iostat_sos.py
sourcetype = nfs-iostat_sos
passAuth = splunk-system-user
interval = 5
index = sos
disabled = 1 

Note the Power Shell for windows and the other scripts for linux platforms.

0 Karma

SplunkTrust
SplunkTrust

And for that matter, you see how they do ./bin/ps_sos.sh? what that will do is make it use the bin folder in the SOS app's directory. So you could further simplify to this:

  #windows batch
  [batch://.\logs\*.log]
  index=...
  disabled=0
  ...

 #linux batch
  [batch://./logs/*.log]
  index=...
  disabled=0
  ...
0 Karma

SplunkTrust
SplunkTrust

And finally for even more granularity you could create both a windows and a linux version of your app. See Unix TA and Windows TA for examples of that approach. Then you can use a deployment server to make sure everyone gets the correct app.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!