Re: Conditionally 'activate' inputs?

briguy · ‎08-19-2011

Hi all - I'm looking for some advice on managing different combinations of inputs based on server type. For example, some files I want to index on a web server might not exist on a database server. Or, I want to index web logs from a subset of our web servers.

Right now I've addressed this issue using the deployment server, serverClass.conf, and 'applications'. I'm creating a separate application for each item I want to index, then assigning that application to each server as necessary via whitelists/blacklists. As my inputs grow this is becoming a management headache. I'd prefer to maintain a single inputs.conf file and have the forwarder determine which inputs to activate, rather than defining this logic in serverClass.conf and creating all these extra applications. Is this possible? How else could I create these different combinations of inputs?

Thanks!

gkanapathy · ‎08-21-2011

The recommended way to do this would be what you're already doing, defining server classes and specifying which input apps apply to each server class. I'm not really sure that the logic or management would be any different, since somehow you have to (a) divide the forwarders into various "classes" and (b) define which inputs run on each class. This is done by using different inputs.conf files in different apps. Using something else like puppet or chef or cfengine might be preferable, but having separate files for each independently configurable item is for now the recommended approach.

balaa · ‎03-22-2012

Is this still the best approach?

Conditionally 'activate' inputs?

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk