Getting Data In

How to properly configure inputs.conf on a shared server?


Splunk forwarder 8.0.2 - All on Windows. Case is, we do have a server which, due to licensing issues of a product is shared for all preprod environments. Logs are structured like this

     - Dev 
            - <sitename>
                   - messagelogs
                   - w3c
     - Test 
            - <sitename>
                   - messagelogs
                   - w3c
     - Qa
            - <sitename>
                   - messagelogs
                   - w3c

For each environment I have configured inputs.conf like this


Replacing the name of the environment in every file. The rest of the stanza is fine, because the servers which are pr. environment has the same stanza, but omitting the name of the environment - like this


If I am not totally mistaken, the use of the wildcard is correct and means "One level, any name", compared to three dots '...' which means "any levels down until you find a match". Therefore the two example-stanzas should not 'collide' and also the inputs.conf for the other enviroments should also not cause an issue since they have their unique name in the path.

But still - no events logged from that server. Exept for - realzing now when writing this - that the stanzas


are identical in all inputs.conf, but it seems that the "first" index takes preference for that and indexes it to the dev-index. But still, cannot see that it could break the rest.

No errors logges when restarting the forwarder, not running the btool --debug (Just warnings found on all the other servers as well)

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...