I went to Settings > Data inputs > Local performance monitoring and defined a new collection based on the object and counters I wanted.
Then, I added a stanza in the /etc/system/local/inputs.conf that described that data I wanted to be forwarded.
I then searched for collection=<thenameofmynewcollection> and all I found were records from my indexer host, not the web server I want to monitor. However, I cannot find a stanza in any inputs.conf on the search head/indexer that reflects the change.
Is Data inputs just a screen to
modify the inputs.conf on the search
Is there any way to get a
pretty interface like that for the
Why do you think my events are not be
forwarded from the web server? (sort
of a separate issue I guess)
However you can turn a regular splunk into :
- a HF heavy forwarder (it will parse the events, but forward the cooked data to another server) and the UI will be up.
- or a LWF light weight forwarder (it will not parse the events, like an universal forwarder) but the UI will be disabled.
I see, my personal method when I have a large set of forwarder to setup.
- use a regular splunk UI to setup the inputs
- verify the inputs
- copy the config generated in the apps
- install/deploy the apps to the forwarders
- go home early
Why then does it say everywhere to use Splunk web rather then edit inputs.conf directly? For a universal forwarder the only option is to edit the files directly. I guess that is why I was confused. Seriously, this is on all the documentation about inputs.conf
"While you can add
performance monitor inputs manually, Splunk recommends that you use Splunk Web
to configure them, because it is easy to mistype the values for
Performance Monitor objects, counters and instances."