Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Configuration Files in Default and Local App folders: How to create three sourcetypes?

SplunkDash
Motivator
‎08-25-2022 01:56 PM

Hello,

I have one data source and getting feed through the inputs.conf file located under default folder and it is currently assigned to one sourcetype. It has files with 3 different naming conventions and I have to create three source types based on that. How should I do it? Should I create separate configuration files (props and inputs)  inside the local folder and assign 3 sourcetypes; leave the inputs.conf file under default folder as it is? or should I make changes within  inputs.conf  located in default folder.  But it is recommended not to  make any changes within  default folder. Your recommendation would be highly appreciated. Thank you!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-27-2022 01:39 AM

Hi @SplunkDash,

for a custom Add-On it's the same thing because the Add-On is managed by you so there isn't the risk to override configurations during updates.

Anyway, only for mental mapping, I hint to move inputs.conf in local folder, but it isn't mandatory.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-26-2022 01:04 AM

Hi @SplunkDash,

at first are you speaking of a custom Add-On or one from Splunkbase?

if from Splunkbase, you have only to enable (if not enabled) the inputs in inputs.conf, copying it from default to local folder.

If you're speaking of a custom Add-on, you have to create an inputs.conf with all the enabled inputs and add in each stanza the name of the sourcetype to use.

You can locate it (only because it's a custom Add-On) in local or default folder, my hint is to locate it in local  folder only for mental mapping, but it isn't mandatory and you can locate it also in default folder.

Then you can put also the props.conf in local or default folder, but remember that (with the only exception of indexed extractions: csv, json, etc...) it isn't important because parsing is done on Indexers or (if present) on Heavy Forwarders.

For this reason remember to put this Add-On (with props.conf) also on these other systems otherwise your logs arent correctly parsed.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

SplunkDash
Motivator
‎08-26-2022 09:41 AM

@gcusello,

It's a custom Add-On, only default folder contains the configuration files.  The inputs.conf file under default folder also contains stanza for other apps  (custom Add ON). But, I need to make changes on stanza within inputs.conf file  only for one app. Should I make changes in  inputs.conf located at the  default folder Or copy that inputs.conf file to local folder and make that changes. Thank you again. 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-27-2022 01:39 AM

Hi @SplunkDash,

for a custom Add-On it's the same thing because the Add-On is managed by you so there isn't the risk to override configurations during updates.

Anyway, only for mental mapping, I hint to move inputs.conf in local folder, but it isn't mandatory.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

SplunkDash
Motivator
‎08-25-2022 03:42 PM

I think I got the answer.

Anatomy of a Splunk app | Documentation | Splunk Developer Program

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...