Splunk Search

Configuration Files in Default and Local App folders: How to create three sourcetypes?

SplunkDash
Motivator

Hello,

I have one data source and getting feed through the inputs.conf file located under default folder and it is currently assigned to one sourcetype. It has files with 3 different naming conventions and I have to create three source types based on that. How should I do it? Should I create separate configuration files (props and inputs)  inside the local folder and assign 3 sourcetypes; leave the inputs.conf file under default folder as it is? or should I make changes within  inputs.conf  located in default folder.  But it is recommended not to  make any changes within  default folder. Your recommendation would be highly appreciated. Thank you!

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

for a custom Add-On it's the same thing because the Add-On is managed by you so there isn't the risk to override configurations during updates.

Anyway, only for mental mapping, I hint to move inputs.conf in local folder, but it isn't mandatory.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

at first are you speaking of a custom Add-On or one from Splunkbase?

if from Splunkbase, you have only to enable (if not enabled) the inputs in inputs.conf, copying it from default to local folder.

If you're speaking of a custom Add-on, you have to create an inputs.conf with all the enabled inputs and add in each stanza the name of the sourcetype to use.

You can locate it (only because it's a custom Add-On) in local or default folder, my hint is to locate it in local  folder only for mental mapping, but it isn't mandatory and you can locate it also in default folder.

Then you can put also the props.conf in local or default folder, but remember that (with the only exception of indexed extractions: csv, json, etc...) it isn't important because parsing is done on Indexers or (if present) on Heavy Forwarders.

For this reason remember to put this Add-On (with props.conf) also on these other systems otherwise your logs arent correctly parsed.

Ciao.

Giuseppe

SplunkDash
Motivator

@gcusello,

It's a custom Add-On, only default folder contains the configuration files.  The inputs.conf file under default folder also contains stanza for other apps  (custom Add ON). But, I need to make changes on stanza within inputs.conf file  only for one app. Should I make changes in  inputs.conf located at the  default folder Or copy that inputs.conf file to local folder and make that changes. Thank you again. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

for a custom Add-On it's the same thing because the Add-On is managed by you so there isn't the risk to override configurations during updates.

Anyway, only for mental mapping, I hint to move inputs.conf in local folder, but it isn't mandatory.

Ciao.

Giuseppe

SplunkDash
Motivator
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...