Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find app by using a log source in search query?

Sailesh6891
Engager
‎11-27-2024 06:59 AM

Hi,

I have a log source (/logs/abc/def). I want to know what are the apps  using this log source in their inputs.conf.

 

Can someone provide me the search query?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-27-2024 07:21 AM

Since it's inputs.conf, they'll be distributed among the forwarders and so harder to search.  The best approach likely will be to use the CLI to scan the deployment-apps directory on the Deployment Server.

find /opt/splunk/etc/deployment-apps -name inputs.conf -print0 | xargs -r0 grep -i "logs\/abc\/def"

A complicating factor is the potential use of wildcards ('*' and "...") in monitor stanzas.  I'm sure you can modify the grep to find those.

---
If this reply helps you, Karma would be appreciated.
Reply

dural_yyz
Motivator
‎11-27-2024 08:06 AM

I like this idea but I've always inserted an extra step.  Run a query on the data in Splunk for the Source but then used the SourceType value to search the inputs.  Helps to avoid any issues with wildcards or regex in the log path and filename.

To each their own and whatever works is always the best solution.

Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-27-2024 07:27 AM

That's only half of the problem.

The other half is that it can as well be completely externally submitted data - with HEC input you can set the source to anything you want (actually even for monitor inputs you could set the source to anything you want but it's rather unlikely that someone deliberately rewrites the source field to mislead you as to the real origin of the data) but stil have one HEC source.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-27-2024 07:43 AM

That's a valid point about HEC events being able to specify any source value, however, that would not be associated with an app and so would not apply to the OP's request.

It's possible a transform can be used to change the source name to something else.  Those can be found by searching the transforms.conf file on an indexer (or on the Cluster Manager).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-27-2024 07:47 AM

There can be many things done with data within Splunk ingestion process so the general "how to find XXX with one search" question response should usually be appended with a big warning "if your case is somewhat unusual, this might not work at all". I think I could even write props/transforms to rewrite each event's source to a random value (and route to a random index 😁). Try finding where such event came from unless you _know_ it.

0 Karma
Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Top