How many monitor stanza and how many index in inpu...

brober27 · ‎03-09-2018

Hi !
I have three types of logs from three different applications. I have loaded these logs on the Unversal Forwarder, in three different directories (opt/splunkforwarder/var/log/app1/,opt/splunkforwarder/var/log/app2/, opt/splunkforwarder/var/log/app3/).
I want they be sent to the indexer (I have only one Indexer - Indexer1) to three different indexes (index_app1, index_app2, index_app3).
I have written this inputs.conf file and put it in the /system/local directory:

[default]
host = universalforw
[monitor:///opt/splunkforwarder/var/log/app1/]
disabled = false
index = index_app1
[monitor:///opt/splunkforwarder/var/log/app2/]
disabled = false
index = index_app2
[monitor:///opt/splunkforwarder/var/log/app3/]
disabled = false
index = index_app3

Is this right? And should this logs be indexed in the indexer without any other configuration?
Should I need to write props.conf and trasforms.conf in order to redifect these logs o different indexes?

Thanks. Bye

richgalloway · ‎03-09-2018

This will work, although, for better performance, you should write a props.conf file that tells Splunk how to parse your data.

It's also considered a best practice to put inputs.conf in an app rather than in etc/system/local. That prepares you for the day you start using a deployment server,

---
If this reply helps you, Karma would be appreciated.

How many monitor stanza and how many index in inputs.conf file ?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!