Getting Data In

order of precedence and conflicts in input.conf

yoho
Contributor

I would like to set up a splunk forwarder to listen for syslog connections (let's say on port 1514). I know specific source IP addresses which sends a specific sourcetype but for the other, I don't know. So I was thinkg of having an inputs.conf looking like this:

[udp://1.2.3.4:1514]
sourcetype = asm_log

[udp://:1514]
sourcetype = syslog

But won't the two stanzas conflict ? If not, what will be the order of precedence between these 2 stanzas ? Is this order guaranteed to stay the same whatever stanza is in the other config files ? Can I invert the two stanzas and get the same results ?

Tags (3)
0 Karma
1 Solution

gfuente
Motivator

Hello

They will conflict, and Splunk applies them by lexicographical order,supposing that they are in the same app and the same folder (default or local)

Regards

View solution in original post

gfuente
Motivator

Hello

They will conflict, and Splunk applies them by lexicographical order,supposing that they are in the same app and the same folder (default or local)

Regards

gfuente
Motivator

You are welcome. If they share the incoming port, you´ll need to transform the data and parse the content to select the sourcetype.

yoho
Contributor

@lukejadamec: I knew the link but my question was related to the precedence within a single file which is only documented for props.conf if I'm not mistaken.

@gfuente: thanks, it answers to the question but how can I have splunk listen for any source ip and set the sourcetype for specific ones ? Will I have to use props/transforms ?

0 Karma

BlueSocket
Communicator

This is old now, but this might help someone else.
You can override the sourcetype in the props.conf and transforms.conf. Have a look at this:
https://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Advancedsourcetypeoverrides

0 Karma

lukejadamec
Super Champion

Here is the link to the doc that explains configuration precedence:
http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Wheretofindtheconfigurationfiles

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...