Knowledge Management

inputs configuration and location.

Mr_Sneed
Explorer

Hello all,

I am confused on which machines I am intended to have my inputs.conf files configured. 

1. I am currently operating under the assumption that inputs.conf files are primarily for the indexer is this correct?

2. If I update an inputs.conf file do I need to push the updated file through my deployment server so that the inputs.conf files tied to the applications on the S.U.F reflect in the same changes made on the manager.

a. I have raw xml data populating and I wish to fix this so that it is easier to read... Currently there is no source type in my inputs.conf. I believe applying an appropriate source type in the inputs.conf is the first step to fixing this problem. 

b. There are multiple stanzas in inputs.conf. Do I need to apply a source type to each of the stanzas that have to do with sending xml logs or is their a way to apply this change on global scale?

Z. Will someone please explain the difference between source and source type I have read the documentation on the manner and am still uncertain in my understanding.

 

Thanks for the help in advance!

 

Labels (3)
0 Karma

renjith_nair
Legend

inputs.conf is configured on the machine from where the data is forwarded. So it could be on UF,HF,Indexer or even on Search Head if the logs are being forwarded

Sourcetype can be applied on the general section which will be considered if individual sections are not specified

Please have a look at this https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Wheretofindtheconfigurationfiles more detailed information

And also here to have an understanding about the data processing

https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platfor...

  • The source is the name of the file, stream, or other input from which a particular event originates.
  • The sourcetype determines how Splunk software processes the incoming data stream into individual events according to the nature of the data.

In short , /var/log/apache.log is a source and how the source file should be parsed is defined by the sourcetype access_combined

 

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

Mr_Sneed
Explorer

Thank you for the information. It is very helpful!

 

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...