Solved: How to index data from a single server when the lo...

santosh_hb · ‎10-17-2017

Hi All, I am facing the below issue:

I am reading few log sources (monitor) from the 3 servers, Server1, Server2 and Server3.
Along with that, I am also reading a log source (test1.txt) from a shared path (This path is shared across all 3 servers).
Now, the issue is: the same log source (test1.txt) is indexed twice on Splunk against the host Server2 and Server3.
Whereas, I want to index this source only once against the server Server1 and not to index for Server2 and Server3.
Is there a way in config file where I can specify that test1.txt should be monitored only from Server1.
How can I achieve this? Please help me. regards, Santosh

gcusello · ‎10-17-2017

Hi santosh_hb,
probably you used the same inputs.conf in all the servers, you could use a different one on server1 (with monitoring of test1.txt) than the other two servers (without monitoring of test1.txt).

Bye.
Giuseppe

View solution in original post

santosh_hb · ‎10-23-2017

Hi Giuseppe, Thanks for the reply. This works fine. I wanted to know if there is any other alternative way where I can just add/modify a single inputs.conf which can be pushed to all 3 servers without pushing separate inputs.conf for server1 and server2 and so-on.

hemendralodhi · ‎05-19-2020

Hi,Did you find solution for that? I need to have common inputs across all servers?

gcusello · ‎10-17-2017

Hi santosh_hb,
probably you used the same inputs.conf in all the servers, you could use a different one on server1 (with monitoring of test1.txt) than the other two servers (without monitoring of test1.txt).

Bye.
Giuseppe

How to index data from a single server when the log path is in a shared drive?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?