How to know what inputs.conf a given event came fr...

neiljpeterson · ‎04-07-2014

So if you have any reasonably complicated deployment, likely you have a fair number of inputs.conf that your UF is reading.

If you are trying to change a field on given event that is being forwarded... like say a log that needs a different sourcetype... and you want to change that stanza from the appropriate input.conf how do you know which one to change? Is the only way to do a search of the content of the file? Trounle is, it is not always clear what stanza and in which file caused an event to be forwarded.

Much like "source" which tells you exactly what file the data came from, I was thinking about adding a "conf" field to show exactly which inputs.conf had forwarded on this particular event.

So how is this sort of thing tracked in a large scale environment according to best practices?

yannK · ‎04-07-2014

The beauty and curse of the conf file is that they all stack.
if you found the correct source, but have several inputs matching it, the best solution is run a btool and check how they merge.

./splunk cmd btool inputs list --debug

How to know what inputs.conf a given event came from?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation