Monitoring Splunk

How to find app by using a log source in search query?

Sailesh6891
Engager

Hi,

I have a log source (/logs/abc/def). I want to know what are the apps  using this log source in their inputs.conf.

 

Can someone provide me the search query?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Since it's inputs.conf, they'll be distributed among the forwarders and so harder to search.  The best approach likely will be to use the CLI to scan the deployment-apps directory on the Deployment Server.

find /opt/splunk/etc/deployment-apps -name inputs.conf -print0 | xargs -r0 grep -i "logs\/abc\/def"

A complicating factor is the potential use of wildcards ('*' and "...") in monitor stanzas.  I'm sure you can modify the grep to find those.

---
If this reply helps you, Karma would be appreciated.

dural_yyz
Motivator

I like this idea but I've always inserted an extra step.  Run a query on the data in Splunk for the Source but then used the SourceType value to search the inputs.  Helps to avoid any issues with wildcards or regex in the log path and filename.

To each their own and whatever works is always the best solution.

PickleRick
SplunkTrust
SplunkTrust

That's only half of the problem.

The other half is that it can as well be completely externally submitted data - with HEC input you can set the source to anything you want (actually even for monitor inputs you could set the source to anything you want but it's rather unlikely that someone deliberately rewrites the source field to mislead you as to the real origin of the data) but stil have one HEC source.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's a valid point about HEC events being able to specify any source value, however, that would not be associated with an app and so would not apply to the OP's request.

It's possible a transform can be used to change the source name to something else.  Those can be found by searching the transforms.conf file on an indexer (or on the Cluster Manager).

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

There can be many things done with data within Splunk ingestion process so the general "how to find XXX with one search" question response should usually be appended with a big warning "if your case is somewhat unusual, this might not work at all". I think I could even write props/transforms to rewrite each event's source to a random value (and route to a random index 😁). Try finding where such event came from unless you _know_ it.

0 Karma
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...