Monitoring Splunk

Is there a way for Splunk to understand app-specific variables so that the variables usable in input.conf?

Nicholas_Key
Splunk Employee
Splunk Employee

I'm currently working with inputs.conf and would like to have the stanzas recognize the values that are assigned to the keys in the configuration page (setup.xml).

An example would be

[monitor://WAS_installation_path\profiles\WAS_profile_name\config\cells\WAS_cell_name\*.xml]
sourcetype = WebSphere:CellConfigurationXML
disabled = 0

Please bear in mind that I'm not using the operating system's environment variables but app-specific variables that are defined in the setup.xml

Is there a mechanism to achieve such task?

jrodman
Splunk Employee
Splunk Employee

Given that Lowell's understanding of the question is accurate, there's no specific support for doing this.

Options:

  • Parse the string and rewrite components.
  • Construct an inputs.conf or inputs.conf fragment as part of the install
  • Allow those path segements to be wildcards

Lowell
Super Champion

I'm guessing that WAS_installation_path, WAS_profile_name and WAS_cell_name are variables that Nicholas is trying to have replaced. Nicholas, care to jump in here?

0 Karma

jrodman
Splunk Employee
Splunk Employee

The goal here is to have the setup.xml control the sourcetype assigned in inputs.conf. I'm not sure exactly why though. Manager can modify the sourcetype for an input, so it seems to me you'd want to have the setup.xml somehow make use of the same endpoints, if possible.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I don't understand. Can you clarify? In you example, do you mean that WebSphere:CellConfigurationXML would be replaced with a value that was specified by a user via the setup.xml?

0 Karma

Lowell
Super Champion

Hmm. I've always accomplished this with OS variables, which your saying will not work for you. I do wish there were a better way to do this... very good question!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...