Solved: Multiple source types to a single listner

shrirangphadke · ‎07-31-2015

Hi,

Sorry if repeated question.

Can we add multiple source-types to an existing listener?
OR Can we create a listener with multiple source-types but single index.

skoelpin · ‎07-31-2015

You can do both. You can have multiple source-types forwarding to the same index. You define what index they go on the server with the forwarder $Splunk_Home/etc/system/local inputs.conf

[sourcetype1]
index = indexName

[sourcetype2]
index = indexName2

If you don't specify an index in your inputs.conf then it will default to index=main

View solution in original post

skoelpin · ‎07-31-2015

You can do both. You can have multiple source-types forwarding to the same index. You define what index they go on the server with the forwarder $Splunk_Home/etc/system/local inputs.conf

[sourcetype1]
index = indexName

[sourcetype2]
index = indexName2

If you don't specify an index in your inputs.conf then it will default to index=main

shrirangphadke · ‎07-31-2015

Thank you very much! btw, is it possible on a system without forwarder ?

skoelpin · ‎07-31-2015

Glad I could help!

Can you clarify your question? You need a Splunk forwarder (usually a universal-forwarder) to forward data to your splunk indexer which makes it available in the GUI. The universal forwarders are light weight and use little resources on a server

So if you don't have a forwarder on a server then it will not make it into Splunk, unless you directly upload it..

woodcock · ‎07-31-2015

If by listener you mean forwarder, then yes to both. This is all configured inside inputs.conf so read all about it here:

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

Multiple source types to a single listner

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies