since are trying to separate out splunk forwarder config ("inputs.conf") according to indexer. we defined forwarder conf like "/opt/splunkforwarder/etc/apps/IND1/inputs.conf", "/opt/splunkforwarder/etc/apps/IND2/inputs.conf" and restarted the splunk instance. but somehow it is not working..Do I need to define "IND1" and "IND2" as an app first?
No, do I need to define outputs.conf for this?
Have you also defined outputs.conf for each config?
yes, I added to "local" directory like../opt/splunkforwarder/etc/apps/IND1/local/inputs.conf but it didn't work
inputs.conf
, like all other configuration files, need to be either in an app's default
directory or its local
directory. So, /opt/splunkforwarder/etc/apps/IND1/default/inputs.conf
would work, for instance.
OK, because that's not what it said in your question...anyhow, you shouldn't need to "activate" this anywhere, just restart the Splunk instance and you should be good to go. Possible steps forward is to check btool output ($SPLUNK_HOME/bin/splunk cmd btool inputs list --debug
) to see if Splunk sees your defined inputs. If it does, you should check splunkd.log to see if there are any problems with the inputs you've defined.
yes, I added to "local" directory like../opt/splunkforwarder/etc/apps/IND1/local/inputs.conf but it didn't work