Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Do we need a different inputs.conf file for Linux and Windows?

therabbit
Explorer
‎05-15-2015 10:47 AM

We have a product that runs on both Windows and Linux. Both platforms can host a Splunk forwarder, and send data to Splunk. I am developing a TA for this product, so the forwarder can be managed from a deployment servers. However, the inputs.conf is different for each platform because our data files are in different locations on each. Question: Is there a way to write a single inputs.conf file both platforms, or is it necessary to have a different inputs.conf file for each (which is what I have now).

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-15-2015 11:26 AM

You can have the same inputs.conf flie and you will get an error message saying it cant find the file on both systems.

Like this:

 [batch://c:\appId\logs\*.log]
 index=...
 disabled=0
 ...

 [batch:///opt/appId/logs/*.log]
 index=...
 disabled=0
 ...

It shouldnt hurt splunk at all, but it will be logged as error/warn on restarts etc.

0 Karma
Reply

therabbit
Explorer
‎05-17-2015 03:25 PM

Thanks for the answers. They were very helpful. I went with two TA's, one for each platform. I guess that means three Splunkbase entries. One for the app, and 2 for the TA's.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-15-2015 11:28 AM

you will find this paculiarity in splunk apps across the board. Usually you get around this issue by packaging your app with all the inputs disabled by default. Then as part of the configuration the admin should enable the correct inputs as per their environment. Below is an example of inputs.conf from the SoS app which I have modified on for use in a linux environment. By default disabled = 1 on all of these.

[script://./bin/ps_sos.sh]
interval = 15
sourcetype = ps
source = ps_sos
index = sos
disabled = 0

[script://./bin/lsof_sos.sh]
interval = 600
sourcetype = lsof
source = lsof_sos
index = sos
disabled = 0

[script://.\bin\sospowershell.cmd ps_sos.ps1]
source = ps_sos.ps1
sourcetype = ps
interval= 5
index = sos
disabled = 1 

[script://./bin/nfs-iostat_sos.py]
source = nfs-iostat_sos.py
sourcetype = nfs-iostat_sos
passAuth = splunk-system-user
interval = 5
index = sos
disabled = 1

Note the Power Shell for windows and the other scripts for linux platforms.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-15-2015 11:32 AM

And for that matter, you see how they do ./bin/ps_sos.sh? what that will do is make it use the bin folder in the SOS app's directory. So you could further simplify to this:

  #windows batch
  [batch://.\logs\*.log]
  index=...
  disabled=0
  ...

 #linux batch
  [batch://./logs/*.log]
  index=...
  disabled=0
  ...
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-15-2015 11:41 AM

And finally for even more granularity you could create both a windows and a linux version of your app. See Unix TA and Windows TA for examples of that approach. Then you can use a deployment server to make sure everyone gets the correct app.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...