Knowledge Management

inputs configuration and location.

Mr_Sneed
Explorer

Hello all,

I am confused on which machines I am intended to have my inputs.conf files configured. 

1. I am currently operating under the assumption that inputs.conf files are primarily for the indexer is this correct?

2. If I update an inputs.conf file do I need to push the updated file through my deployment server so that the inputs.conf files tied to the applications on the S.U.F reflect in the same changes made on the manager.

a. I have raw xml data populating and I wish to fix this so that it is easier to read... Currently there is no source type in my inputs.conf. I believe applying an appropriate source type in the inputs.conf is the first step to fixing this problem. 

b. There are multiple stanzas in inputs.conf. Do I need to apply a source type to each of the stanzas that have to do with sending xml logs or is their a way to apply this change on global scale?

Z. Will someone please explain the difference between source and source type I have read the documentation on the manner and am still uncertain in my understanding.

 

Thanks for the help in advance!

 

Labels (3)
0 Karma

renjith_nair
Legend

inputs.conf is configured on the machine from where the data is forwarded. So it could be on UF,HF,Indexer or even on Search Head if the logs are being forwarded

Sourcetype can be applied on the general section which will be considered if individual sections are not specified

Please have a look at this https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Wheretofindtheconfigurationfiles more detailed information

And also here to have an understanding about the data processing

https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platfor...

  • The source is the name of the file, stream, or other input from which a particular event originates.
  • The sourcetype determines how Splunk software processes the incoming data stream into individual events according to the nature of the data.

In short , /var/log/apache.log is a source and how the source file should be parsed is defined by the sourcetype access_combined

 

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

Mr_Sneed
Explorer

Thank you for the information. It is very helpful!

 

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...