Monitoring Splunk

inputs.conf precendence

jasonnadeau
Explorer

I am having problems with splunk configuration file precedence.

I have two inputs.conf in my splunk app. One in default and one in local. My reasoning is the sourcetype should be the same for all servers running this app. What I want to tune per server is the index that receives the logs. Some of these servers are in production which require logs for one year and some are in development which we only need logs for 30 days.

I put the sourcetype in the default/inputs.conf this should be the file no one needs to edit when using this app. I put the index value in the loca/inputs.conf, and here the system admin will specify if the server is dev or prod which will be input in the index= line

So far my logs are going into the main index which is not where I want them. I read the splunk wiki entry on precedence and unless I am reading it wrong I expect different results. I would expect splunk to combine the configuration stanzas for the log file and since I don't have conflicting configuration key values it should look something like this

[monitor:///some/path/file.log]
sourcetype=cool_log_type
index=dev


APP default/inputs.conf

[monitor:///some/path/file.log]
sourcetype=cool_log_type

APP local/inputs.conf

[monitor:///some/path/file.log]
index=dev
1 Solution

vbumgarner
Contributor

That looks like it should work, if the monitor statement is identical.

To see what Splunk thinks is being used, run this:

./splunk cmd btool inputs list --debug

That command will list out what Splunk is seeing as a merged inputs.conf, with the source on the left.

View solution in original post

vbumgarner
Contributor

That looks like it should work, if the monitor statement is identical.

To see what Splunk thinks is being used, run this:

./splunk cmd btool inputs list --debug

That command will list out what Splunk is seeing as a merged inputs.conf, with the source on the left.

jasonnadeau
Explorer

Found the error was in default/inputs.conf

one stanza was [monitor:///some/dir] the other was [monitor:/some/dir]. Splunk seemed to view those as separate entries and that caused the problem.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...