Getting Data In

How to index data from a single server when the log path is in a shared drive?

santosh_hb
Explorer

Hi All, I am facing the below issue:

I am reading few log sources (monitor) from the 3 servers, Server1, Server2 and Server3.
Along with that, I am also reading a log source (test1.txt) from a shared path (This path is shared across all 3 servers).
Now, the issue is: the same log source (test1.txt) is indexed twice on Splunk against the host Server2 and Server3.
Whereas, I want to index this source only once against the server Server1 and not to index for Server2 and Server3.
Is there a way in config file where I can specify that test1.txt should be monitored only from Server1.
How can I achieve this? Please help me. regards, Santosh

0 Karma
1 Solution

gcusello
Legend

Hi santosh_hb,
probably you used the same inputs.conf in all the servers, you could use a different one on server1 (with monitoring of test1.txt) than the other two servers (without monitoring of test1.txt).

Bye.
Giuseppe

View solution in original post

santosh_hb
Explorer

Hi Giuseppe, Thanks for the reply. This works fine. I wanted to know if there is any other alternative way where I can just add/modify a single inputs.conf which can be pushed to all 3 servers without pushing separate inputs.conf for server1 and server2 and so-on.

0 Karma

hemendralodhi
Contributor

Hi,Did you find solution for that? I need to have common inputs across all servers?

0 Karma

gcusello
Legend

Hi santosh_hb,
probably you used the same inputs.conf in all the servers, you could use a different one on server1 (with monitoring of test1.txt) than the other two servers (without monitoring of test1.txt).

Bye.
Giuseppe

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>