Hi,
We have 100 's of in our splunk system, what i need is, what are configured Forwarder Inputs in splunk system for all the apps using Splunk query.
i.e we have configured all the logs under inputs.conf for each app with monitor stanza around 100's of logs.
So I need to get all the logs files using Splunk Query.
Please help me.
Thanks in advance.
The metadata
command may be what you are looking for.
| metadata type=sources
will give you a list of all sources.
Thanks for your reply..
It's giving only reported logs/sources with in the time-frame (i.e. last 15mins, 60mins, 4hrs...etc..), but not configured sources under inputs.conf file in deployment server.
Splunk doesn't track/log the config files in the deployment-apps directory so there isn't anything to search. You'd have to do something like have a script generate that data (ie cat) on some interval. You could add the directory to the list of inputs easy enough but once the files are read in Splunk will only read them in if they have changed which is why I mentioned the script.
Have you check out the DeploymentMonitor app. It ships with Splunk, but is not enabled by default.
To enable it, go to Manager -> Apps and click 'enable' for the SplunkDeploymentMonitor
Then you can choose DeploymentMonitor in the 'Apps' menu (it will not have much data to show right away, since it works with scheduled searches). You can set up alerts for 'quiet' or 'missing' forwarders.
source will help:
https://answers.splunk.com/answers/48209/best-way-to-alert-for-not-receiving-data-from-a-source.html