Hello all,
I am confused on which machines I am intended to have my inputs.conf files configured.
1. I am currently operating under the assumption that inputs.conf files are primarily for the indexer is this correct?
2. If I update an inputs.conf file do I need to push the updated file through my deployment server so that the inputs.conf files tied to the applications on the S.U.F reflect in the same changes made on the manager.
a. I have raw xml data populating and I wish to fix this so that it is easier to read... Currently there is no source type in my inputs.conf. I believe applying an appropriate source type in the inputs.conf is the first step to fixing this problem.
b. There are multiple stanzas in inputs.conf. Do I need to apply a source type to each of the stanzas that have to do with sending xml logs or is their a way to apply this change on global scale?
Z. Will someone please explain the difference between source and source type I have read the documentation on the manner and am still uncertain in my understanding.
Thanks for the help in advance!
inputs.conf is configured on the machine from where the data is forwarded. So it could be on UF,HF,Indexer or even on Search Head if the logs are being forwarded
Sourcetype can be applied on the general section which will be considered if individual sections are not specified
Please have a look at this https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Wheretofindtheconfigurationfiles more detailed information
And also here to have an understanding about the data processing
In short , /var/log/apache.log is a source and how the source file should be parsed is defined by the sourcetype access_combined
Thank you for the information. It is very helpful!