I have installed Splunk_TA_nix add-on on my universal forwarder to send Linux logs, What is the difference between forwarding the logs through the add-on and forwarding logs through /etc/system/local/inputs.conf.?Will both does the same thing.?Will the Splunk_TA_nix add-on extract the fields from the linux logs (/var/log/messages,/var/log/maillog) which will be CIM compatible.?
there isn't any difference in inputs, the main difference is in management:
if you put all the inputs in dedicated TAs (e.g. TA_nix), you can distribute and update them using a Deployment Server, in other words, you have to modify apps in only one point.
If instead you put all the inputs in one big inputs.conf in $SPLUNK_HOME/etc/system/local, you cannot use Deployment Server and you have to manually deploy and update inputs.conf in all your servers.
So, if you have few servers (e.g. in a lab), you can do this manually, if you have many servers it isn't possible!
To better understand this way to deploy apps: it's a best practice to insert in a dedicated Technical-AddOn (called e.g. TA_Forwarder or TA_sendtoindexer) also the outputs.conf and deploymentclient.conf, that ofter are in $SPLUNK_HOME/etc/system/local, so you can manage them in a centralized way.
Thanks for that, one last thing, Does the Splunk_TA_nix add on extract the fields of the inputs provided to it which will be CIM compatible.? If this add-on doesn't do that Is there any other add-on which extract fields from my logs(eg: /var/log/*).
as you can see at https://splunkbase.splunk.com/app/833/ , this TA is compatible with CIM4.x.
Open it and see which inputs you have by default:
File and Directory Inputs: /etc /home/*/.bash_history /Library/Logs /root/.bash_history /var/adm /var/log Scripted Inputs: bandwidth.sh cpu.sh df.sh hardware.sh interfaces.sh iostat.sh lastlog.sh lsof.sh netstat.sh nfsiostat.sh openPorts.sh openPortsEnhanced.sh package.sh passwd.sh protocol.sh ps.sh rlog.sh selinuxChecker.sh service.sh sshdChecker.sh time.sh top.sh update.sh uptime.sh usersWithLoginPrivs.sh version.sh vmstat.sh vsftpdChecker.sh who.sh