Hi all - I'm looking for some advice on managing different combinations of inputs based on server type. For example, some files I want to index on a web server might not exist on a database server. Or, I want to index web logs from a subset of our web servers.
Right now I've addressed this issue using the deployment server, serverClass.conf, and 'applications'. I'm creating a separate application for each item I want to index, then assigning that application to each server as necessary via whitelists/blacklists. As my inputs grow this is becoming a management headache. I'd prefer to maintain a single inputs.conf file and have the forwarder determine which inputs to activate, rather than defining this logic in serverClass.conf and creating all these extra applications. Is this possible? How else could I create these different combinations of inputs?
... View more
Hi All - I'm using the WMI input to gather some custom WMI data. Some of the queries (such as below) result in duplicate events being indexed since the same events are returned each time the query is run. The fix seems to be adding a where clause based on the current date, but I don't know of a way to do this. Starting to feel like I'm going to have to write something custom. Any ideas?
On a related note - is anyone using wmi permanent event subscription to gather wmi data, rather that using polling? Seems like it might be a better way to go.
disabled = 0
interval = 5
server = localhost
wql = Select * from Win32_NTLogEvent WHERE logfile='Application' and Type='error' and SourceName like '%.NET%'
... View more