Getting Data In

How to properly configure inputs.conf on a shared server?

rune_hellem
Contributor

Splunk forwarder 8.0.2 - All on Windows. Case is, we do have a server which, due to licensing issues of a product is shared for all preprod environments. Logs are structured like this

d:\logs\sites
     - Dev 
            - <sitename>
                   - messagelogs
                   - w3c
     - Test 
            - <sitename>
                   - messagelogs
                   - w3c
     - Qa
            - <sitename>
                   - messagelogs
                   - w3c

For each environment I have configured inputs.conf like this

[monitor://d:\logs\sites\dev\*\*Exceptions.log]

Replacing the name of the environment in every file. The rest of the stanza is fine, because the servers which are pr. environment has the same stanza, but omitting the name of the environment - like this

[monitor://d:\logs\sites\*\*Exceptions.log]

If I am not totally mistaken, the use of the wildcard is correct and means "One level, any name", compared to three dots '...' which means "any levels down until you find a match". Therefore the two example-stanzas should not 'collide' and also the inputs.conf for the other enviroments should also not cause an issue since they have their unique name in the path.

But still - no events logged from that server. Exept for - realzing now when writing this - that the stanzas

[monitor://C:\Windows\System32\LogFiles\HTTPERR\httperr*.log]
[monitor://d:\logs\powershell\*.log]

are identical in all inputs.conf, but it seems that the "first" index takes preference for that and indexes it to the dev-index. But still, cannot see that it could break the rest.

No errors logges when restarting the forwarder, not running the btool --debug (Just warnings found on all the other servers as well)

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...