Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

auto discover web log directories

Andre_
Path Finder
‎02-02-2025 02:11 PM

Hello,

Is it possible to configure a Universal Forwarder to automatically discover the location of weblogs for IIS or Apache? I can programmatically get the locations and have a script for Windows and Linux that returns a list of locations. 

Kind Regards

Andre

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-05-2025 11:43 PM

I have a deja vu. I think I answered the same question recently.

But to the point.

1) There is no way to create an inputs with a dynamic definition using just Splunk built-in mechanisms.

2) It's hard to believe that you have a decently sized environment without any standarization. If you do, I strongly advise to get it cleaned up because otherwise it will bite you in the most inconvenient place at the most inconvenient time.

3) A very ugly way to try to go around it could be to define an "input" running your script which would generate inputs.conf dynamically but this would require bending over backwards to handle forwarder restarts. I would very strongly (as opposed to just "strongly" from previous point) advise against it.

0 Karma
Reply

Andre_
Path Finder
‎02-06-2025 01:36 PM

Hi @PickleRick ,

totally agree with you, some business models provide interesting challenges let's say.....

Can you use OS environment variables in the inputs.conf? If so, would they only be read on UF start up?

Cheers

Andre

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-07-2025 02:46 AM

Unfortunately, no.

0 Karma
Reply

Andre_
Path Finder
‎02-04-2025 03:13 PM

The only option would be an external mechanism to update the inputs.conf and reload the UF?
For example, have a scheduled task every hour that compares the inputs.conf and IIS configuration - if different, update inputs.conf and reload UF?

Kind Regards

Andre

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-04-2025 11:02 PM

Hi @Andre_ ,

this is the mechanism used by the Deployment Server, so you can apply it, but it requires a restart of the local Splunk every time.

Are you sure that my hint isn't applicable?

Ciao.

Giuseppe

0 Karma
Reply

Andre_
Path Finder
‎02-05-2025 03:22 PM

Hi @gcusello ,

Unfortunately, I am not in control of the application layer. Web logs could be in any directory on any drive.

With a script to check and overwrite the inputs.conf, that will only require a local splunk restart if the location changes so. That usually happens rarely, but we need to capture it.

1. check log location

2. compare with current setting in inputs.conf

3. if different only - update & restart

Kind Regards

Andre

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-05-2025 10:56 PM

Hi @Andre_ ,

ok, use your script, the locis seems to be correct.

Are you sure that it isn't possible to define a rule for IIS logs?

it seems very strange that your IIS are distributed without rules in all the filesystem, I suppose that they are in a predefined location and you could start from that location for your ingestion.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-02-2025 11:41 PM

Hi @Andre_ ,

I don't think that's possible, also because Universal Forwarder's configurations are usually managed using a Deployment Server.

But, you could have very large inputs and take all the weblogs or Apache logs, e.g. if your Apache logs are in the folder /opt/apache/<app>/data/<other_folders>/apache.log

you could usi in your input:

[monitor:///opt/apache/.../*.log]

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...