Getting Data In

indexer : local events vs incoming events

fabien_picard
New Member

Hi,
when working on the indexer machine:
how do I know if a specific configuration (like a input monitor stanza) is applied to the incoming events received from the remote UF or if it's applied to the local generated events ? how can I separate these settings ?

Example:
Indexer installed on Windows, I want to exclude event 4662 from localhost but not from the events received from UF.
Are there two monitor defined ? Where ?

What if I already applied a blacklist filtering on the UF? A second filtering will be again applied on the indexer ?

Thanks

=======================================
I suppose I didn't manage to express myself correctly. Let's try again:
The splunk indexer is a role that is installed on a machine.
The indexer is receiving logs from other machines called (most of the time) Universal Forwarders (UF)
All the settings in props.conf and transforms.conf on the indexer are meant to be applied to the incoming logs in order to filter/change/reroute/index/drop/etc those logs/events from UF
BUT the indexer is also a machine that is generating logs. Let's call them local logs.
What settings are used to deal with the local logs ? Is there a inputs.conf for the local logs ?
How can I filter local logs without interfering with the filtering of incoming logs from the UF ?
Should I configure a UF on the indexer in order to inject logs into itself ? (that's nonsense, but for the sake of the comprehension)
Is there a unique setting for all logs (incoming & local) ? /etc/system/local ?

0 Karma
1 Solution

DavidHourani
Super Champion

Hi Fabien,

Yes there is an inputs.conf file on the indexer. Typically you only want to have port 9997 as an input there so that your indexer can receive the forwarded logs from your UF. You can also have other local file monitors/etc... but it is not recommended since it you're better off having dedicated indexers.
Now if you want to see which logs are coming from the indexers then you have to run a search using your indexer name as a filter.
A quick query to see how much logs are coming in from your indexer and to find out which files are generating them:

| tstats count WHERE host=yourIndexer BY source

Let me know if you need further details.

Regards,
David

View solution in original post

0 Karma

DavidHourani
Super Champion

Hi Fabien,

Yes there is an inputs.conf file on the indexer. Typically you only want to have port 9997 as an input there so that your indexer can receive the forwarded logs from your UF. You can also have other local file monitors/etc... but it is not recommended since it you're better off having dedicated indexers.
Now if you want to see which logs are coming from the indexers then you have to run a search using your indexer name as a filter.
A quick query to see how much logs are coming in from your indexer and to find out which files are generating them:

| tstats count WHERE host=yourIndexer BY source

Let me know if you need further details.

Regards,
David

0 Karma

mayurr98
Super Champion

You are confusing yourself. Just to make it simple for you..whatever you write in inputs.conf of universal forwarder that only will get index by indexer. It will not be applied to a local indexer or to any other machine.Also, you can separate these things out based on a source.
You can check for events coming from the different/ same index in the source field using below command:

index=* source=* | dedup source | table source host

you will get the list of source you are monitoring and corresponding host.

Also if you want to exclude some events from a specific source and keep the rest then you can follow these 3 simple steps from below doc:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Discard_specif...

let me know if this helps!

0 Karma

fabien_picard
New Member

I suppose I didn't manage to express myself correctly. Let's try again:
The splunk indexer is a role that is installed on a machine.
The indexer is receiving logs from other machines called (most of the time) Universal Forwarders (UF)
All the settings in props.conf and transforms.conf on the indexer are meant to be applied to the incoming logs in order to filter/change/reroute/index/drop/etc those logs/events from UF
BUT the indexer is also a machine that is generating logs. Let's call them local logs.
What settings are used to deal with the local logs ? Is there a inputs.conf for the local logs ?
How can I filter local logs without interfering with the filtering of incoming logs from the UF ?
Should I configure a UF on the indexer in order to inject logs into itself ? (that's nonsense, but for the sake of the comprehension)
Is there a unique setting for all logs (incoming & local) ? /etc/system/local ?

0 Karma

mayurr98
Super Champion

hey if you want to ingest something from local machine then there is no unique setting for all logs (incoming & local) ? /etc/system/local

you have to write same inputs.conf with the local machine file path as you have written on UF.
i.e. monitor stanza
So you do not need to configure anything on indexer which is unique. You just have to write inputs.conf at /etc/system/local OR /etc/app/<app-name>/local and then restart the indexer.

I hope you understand it now!

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...