Getting Data In

Multiple source types to a single listner

shrirangphadke
Path Finder

Hi,

Sorry if repeated question.

Can we add multiple source-types to an existing listener?
OR Can we create a listener with multiple source-types but single index.

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

You can do both. You can have multiple source-types forwarding to the same index. You define what index they go on the server with the forwarder $Splunk_Home/etc/system/local inputs.conf

[sourcetype1]
index = indexName

[sourcetype2]
index = indexName2

If you don't specify an index in your inputs.conf then it will default to index=main

View solution in original post

skoelpin
SplunkTrust
SplunkTrust

You can do both. You can have multiple source-types forwarding to the same index. You define what index they go on the server with the forwarder $Splunk_Home/etc/system/local inputs.conf

[sourcetype1]
index = indexName

[sourcetype2]
index = indexName2

If you don't specify an index in your inputs.conf then it will default to index=main

shrirangphadke
Path Finder

Thank you very much! btw, is it possible on a system without forwarder ?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Glad I could help!

Can you clarify your question? You need a Splunk forwarder (usually a universal-forwarder) to forward data to your splunk indexer which makes it available in the GUI. The universal forwarders are light weight and use little resources on a server

So if you don't have a forwarder on a server then it will not make it into Splunk, unless you directly upload it..

0 Karma

woodcock
Esteemed Legend

If by listener you mean forwarder, then yes to both. This is all configured inside inputs.conf so read all about it here:

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...