Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

inputs configuration and location.

Mr_Sneed
Explorer
‎02-20-2024 01:20 AM

Hello all,

I am confused on which machines I am intended to have my inputs.conf files configured. 

1. I am currently operating under the assumption that inputs.conf files are primarily for the indexer is this correct?

2. If I update an inputs.conf file do I need to push the updated file through my deployment server so that the inputs.conf files tied to the applications on the S.U.F reflect in the same changes made on the manager.

a. I have raw xml data populating and I wish to fix this so that it is easier to read... Currently there is no source type in my inputs.conf. I believe applying an appropriate source type in the inputs.conf is the first step to fixing this problem. 

b. There are multiple stanzas in inputs.conf. Do I need to apply a source type to each of the stanzas that have to do with sending xml logs or is their a way to apply this change on global scale?

Z. Will someone please explain the difference between source and source type I have read the documentation on the manner and am still uncertain in my understanding.

 

Thanks for the help in advance!

 

Labels (3)
0 Karma
Reply

renjith_nair
Legend
‎02-20-2024 04:02 AM

inputs.conf is configured on the machine from where the data is forwarded. So it could be on UF,HF,Indexer or even on Search Head if the logs are being forwarded

Sourcetype can be applied on the general section which will be considered if individual sections are not specified

Please have a look at this https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Wheretofindtheconfigurationfiles more detailed information

And also here to have an understanding about the data processing

https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platfor...

  • The source is the name of the file, stream, or other input from which a particular event originates.
  • The sourcetype determines how Splunk software processes the incoming data stream into individual events according to the nature of the data.

In short , /var/log/apache.log is a source and how the source file should be parsed is defined by the sourcetype access_combined

 

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

Mr_Sneed
Explorer
‎02-20-2024 04:15 AM

Thank you for the information. It is very helpful!

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...