Getting Data In

different monitors for different hosts under the same index



I have a case where I need to onboard data from different hosts and paths but under the same index. As an example, I need to onboard from server1 logfile /foo/bar1.log, and from server2 /foo/bar2.log. 

If I create one app and in the inputs.conf place [monitor:///foo/bar*.log] and in the serverclass add server1 and server2, it will start to gather data from both files from both servers (I assume that they both exists on both servers). 

Now, the only workaround that comes to my mind is to separate them into 2 different apps, like:


inputs.conf - [monitor:///foo/bar1.log] 

serverclass: server1



inputs.conf - [monitor:///foo/bar2.log] 

serverclass: server2


The question is, if it is possible to do it within one app?

Labels (3)
0 Karma


hi @przemysaw ,

A server class is configured in serverclass.conf on the deployment server. 

Yes, you can deploy the same app with the same monitor configurations on both server1 and server2.


index = index_name
sourcetype = sourcetype_name



And to deploy this app on forwarder on both server1 and server2, configure server classes in serverclass.conf on deployment server and reload deployment server.






If this reply helps you, an upvote/like would be appreciated.

0 Karma


Hi @przemysaw,

the fact that you have all data in the same index isn't relevant: an index in Splunk is a container and the only reasono to use different indexer (also for different data) are.

  • data retention (data with different retention values must be in different indexes);
  • access grants (data with different access grants must be in different indexes).

After this introduction, you can have all the data in the same index.

This is a normal problem of all the people that approach Splunk coming from database world: Splunk isn't a database and it's very different!

Then you can identify data from a server from the other using the host field that has always a value.

About the question of using one or two apps (it's better call these apps Technical Add-ons or TAs not Apps, apps are the ones on Search Heads), it depends if you have data from both the paths in both the servers and if you want to take all of them or not.

In other words:

  • if you want all thepaths in all the servers, you can have only one TA with both the paths in inputs.conf, otherwise you can use two TAs in diferent ServerClasses;
  • you can use one stanza if you have to assign to the data the same sourcetype, otherwise you have to use two stanzas, each one with its own sourcetype;
  • you can recognize data from a server using the host field.



0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...