Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

different monitors for different hosts under the same index

przemysaw
Explorer
‎02-02-2021 04:01 AM

hi!

I have a case where I need to onboard data from different hosts and paths but under the same index. As an example, I need to onboard from server1 logfile /foo/bar1.log, and from server2 /foo/bar2.log. 

If I create one app and in the inputs.conf place [monitor:///foo/bar*.log] and in the serverclass add server1 and server2, it will start to gather data from both files from both servers (I assume that they both exists on both servers). 

Now, the only workaround that comes to my mind is to separate them into 2 different apps, like:

app1:

inputs.conf - [monitor:///foo/bar1.log] 

serverclass: server1

 

app2:

inputs.conf - [monitor:///foo/bar2.log] 

serverclass: server2

 

The question is, if it is possible to do it within one app?

Labels (3)
Labels
0 Karma
Reply

manjunathmeti
Champion
‎02-02-2021 04:16 AM

hi @przemysaw ,

A server class is configured in serverclass.conf on the deployment server. 

Yes, you can deploy the same app with the same monitor configurations on both server1 and server2.
myapp/default/inputs.conf

 

[monitor:///foo/bar*.log]
index = index_name
sourcetype = sourcetype_name

 

 

And to deploy this app on forwarder on both server1 and server2, configure server classes in serverclass.conf on deployment server and reload deployment server.

 

[serverClass:myserver_class]
whitelist.1=client_name_of_forwarder_on_server1
whitelist.2=client_name_of_forwarder_on_server2

[serverClass:myserver_class:app:my_app]

 

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-02-2021 04:15 AM

Hi @przemysaw,

the fact that you have all data in the same index isn't relevant: an index in Splunk is a container and the only reasono to use different indexer (also for different data) are.

  • data retention (data with different retention values must be in different indexes);
  • access grants (data with different access grants must be in different indexes).

After this introduction, you can have all the data in the same index.

This is a normal problem of all the people that approach Splunk coming from database world: Splunk isn't a database and it's very different!

Then you can identify data from a server from the other using the host field that has always a value.

About the question of using one or two apps (it's better call these apps Technical Add-ons or TAs not Apps, apps are the ones on Search Heads), it depends if you have data from both the paths in both the servers and if you want to take all of them or not.

In other words:

  • if you want all thepaths in all the servers, you can have only one TA with both the paths in inputs.conf, otherwise you can use two TAs in diferent ServerClasses;
  • you can use one stanza if you have to assign to the data the same sourcetype, otherwise you have to use two stanzas, each one with its own sourcetype;
  • you can recognize data from a server using the host field.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...