Getting Data In

How do I configure the forwarder local inputs config file for more than one host

jamesmcgonagle
Explorer

[default]
host = host1,host,2 etc

0 Karma
1 Solution

neelamssantosh
Contributor

Splunk can be feed with either of the metadata fields: Hosts / source / sourcetype.
Better to use source / sourcetype as they remains with same value though Hosts value differs.

source

[monitor:///var/log/xxx.log]
disabled = false
index = xx
host = host1, host2.. #####optional
sourcetype = xxxxx

View solution in original post

neelamssantosh
Contributor

Splunk can be feed with either of the metadata fields: Hosts / source / sourcetype.
Better to use source / sourcetype as they remains with same value though Hosts value differs.

source

[monitor:///var/log/xxx.log]
disabled = false
index = xx
host = host1, host2.. #####optional
sourcetype = xxxxx

mcronkrite
Splunk Employee
Splunk Employee

So you want to add another input source to your inputs.conf file.

You need to add a stanza to inputs.conf that identifies the new data source.

For example adding this stanza on *nix will monitor the /var/log/httpd directory for everything less than 7 days old and assign it the sourcetype= access_comm (which is typical for *nix web logs).

[monitor:///var/log/httpd]
index = main
sourcetype = access_common
ignoreOlderThan = 7d

For your additional applications you will want to assign new sourcetypes, like applicationABC and applicationXYZ if they have different formats. If they have the same format then you could call them both applicationlog.

Here is the link to inputs.conf.spec file online, it is also in your splunk directory.
http://docs.splunk.com/Documentation/Splunk/6.1.3/admin/inputsconf

0 Karma

jamesmcgonagle
Explorer

After checking the log file I now release that the 3 host names all use the one log file . This being the case I need a Splunk search to return the same log data for any of the three host names entered in the search. Is this possible.

0 Karma

barakreeves
Splunk Employee
Splunk Employee

Shot in the dark here, but if you are trying to send data to a forwarder from more than 1 host, you can chain forwarders together, which allows you to send data from more than 1 forwarder to another, then send data to an indexer. Having said that, be careful: what you build you must also maintain. Simplicity rules!

Here is a link that discusses this: http://answers.splunk.com/answers/129546/chaining-universal-forwarder.html

0 Karma

Ayn
Legend

Uhh, more details on what you're trying to achieve, what you tried and din't work, etc please?

jamesmcgonagle
Explorer

My normal setup is one host application with log file per computer
However I have a situation where I have three host applications on the one PC that each create logs
I need to be able to pull the log data from all three applications, depending on the host search specification within splunk
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
host = host1 or host2 or host3

Hope this makes it a bit clearer

barakreeves
Splunk Employee
Splunk Employee

Is the host name in the log directory or part of the file name? If so, here is the doco how to do that: http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/setadefaulthostforaninput

Scroll down to "dynamic" to see how to dynamically set the host name dynamically based upon file or directory name.

jamesmcgonagle
Explorer

Thanks barakreeves for the info.
After checking the log file I now release that the 3 host names all use the one log file . This being the case I need a Splunk search to return the same log data for any of the three host names entered in the search. Is this possible.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...