Getting Data In

Is there a "Data inputs" screen for the forwarders?

neiljpeterson
Communicator

My goal is to pull in some info from perfmon, specifically from the APP_POOL_WAS object.

I read this page here: http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Real-timeWindowsperformancemonitoring

I went to Settings > Data inputs > Local performance monitoring and defined a new collection based on the object and counters I wanted.

Then, I added a stanza in the /etc/system/local/inputs.conf that described that data I wanted to be forwarded.

I then searched for collection=<thenameofmynewcollection> and all I found were records from my indexer host, not the web server I want to monitor. However, I cannot find a stanza in any inputs.conf on the search head/indexer that reflects the change.

  • Is Data inputs just a screen to
    modify the inputs.conf on the search
    head??

  • Is there any way to get a
    pretty interface like that for the
    forwarder?

  • Why do you think my events are not be
    forwarded from the web server? (sort
    of a separate issue I guess)

  • Please help

0 Karma

yannK
Splunk Employee
Splunk Employee

The Web interface exists only on the splunk build, not on the Universal Forwarder.

see http://docs.splunk.com/Documentation/Splunk/6.0.1/Forwarding/Typesofforwarders

However you can turn a regular splunk into :
- a HF heavy forwarder (it will parse the events, but forward the cooked data to another server) and the UI will be up.
- or a LWF light weight forwarder (it will not parse the events, like an universal forwarder) but the UI will be disabled.

http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Deployaforwarder

I would recommend to use the LWF, and re-enable it in web.conf

[setting]
startwebserver =true

0 Karma

yannK
Splunk Employee
Splunk Employee

I see, my personal method when I have a large set of forwarder to setup.
- use a regular splunk UI to setup the inputs
- verify the inputs
- copy the config generated in the apps
- install/deploy the apps to the forwarders
- go home early

0 Karma

neiljpeterson
Communicator

Why then does it say everywhere to use Splunk web rather then edit inputs.conf directly? For a universal forwarder the only option is to edit the files directly. I guess that is why I was confused. Seriously, this is on all the documentation about inputs.conf

"While you can add
performance monitor inputs manually, Splunk recommends that you use Splunk Web
to configure them, because it is easy to mistype the values for
Performance Monitor objects, counters and instances."

0 Karma

neiljpeterson
Communicator

Thanks. I was some what aware of this. My take away was "just use the universal forwarder, don't worry about anything else"

I guess I was hoping there would be some feature on the search head to graphically maniuplate inputs.conf across forwarders.

Seems like it would make sense to have a Splunk app that could modify inputs.conf across a large number of forwarders. What do large deployments do? Git or Puppet or something I imagine?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...