- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- inputs configuration and location.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs configuration and location.
Hello all,
I am confused on which machines I am intended to have my inputs.conf files configured.
1. I am currently operating under the assumption that inputs.conf files are primarily for the indexer is this correct?
2. If I update an inputs.conf file do I need to push the updated file through my deployment server so that the inputs.conf files tied to the applications on the S.U.F reflect in the same changes made on the manager.
a. I have raw xml data populating and I wish to fix this so that it is easier to read... Currently there is no source type in my inputs.conf. I believe applying an appropriate source type in the inputs.conf is the first step to fixing this problem.
b. There are multiple stanzas in inputs.conf. Do I need to apply a source type to each of the stanzas that have to do with sending xml logs or is their a way to apply this change on global scale?
Z. Will someone please explain the difference between source and source type I have read the documentation on the manner and am still uncertain in my understanding.
Thanks for the help in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs.conf is configured on the machine from where the data is forwarded. So it could be on UF,HF,Indexer or even on Search Head if the logs are being forwarded
Sourcetype can be applied on the general section which will be considered if individual sections are not specified
Please have a look at this https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Wheretofindtheconfigurationfiles more detailed information
And also here to have an understanding about the data processing
- The source is the name of the file, stream, or other input from which a particular event originates.
- The sourcetype determines how Splunk software processes the incoming data stream into individual events according to the nature of the data.
In short , /var/log/apache.log is a source and how the source file should be parsed is defined by the sourcetype access_combined
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the information. It is very helpful!
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
Introducing the Splunk Community Dashboard Challenge!
