Getting Data In

Scripted Inputs via Separate Outputs

ephemeric
Contributor

Is it possible to have two scripted inputs on a light forwarder (raw data) sent out to two different remote ports in outputs.conf to the indexer?

The scripted inputs are two different sourcetypes and we need to do props and transforms at index time on the indexer in order to apply regex filters.

The transforms cannot be done on the light forwarder due to client constraints. Once the light forwarder is installed we cannot access it to make changes.

0 Karma

ephemeric
Contributor
0 Karma

mw
Splunk Employee
Splunk Employee

Sourcetype would be specified in the inputs.conf, which will live on the forwarder. I'm not clear on what "regex filters" you need to apply, but this example would execute 2 different scripts at 2 different times, with separate source and sourcetype values, the second script even gets sent to a different index:

# inputs.conf
[script://./bin/script1.sh]
interval = 60
source = script1
sourcetype = script1

[script://.bin/script2.sh]
interval = 90
source = script2
sourcetuype = script2
index = other_index
0 Karma

ephemeric
Contributor

I'm struggling to articulate this.

Is nothing applied if we have in outputs.conf:
indexandforward = false
sendcookeddata = false

This is what I need:

http://splunk-base.splunk.com/answers/11971/sourcetypetcp-raw

"i didnt want to set sourcetype on forwarder in inputs.conf or props/transforms wanted to perform all transforms on indexer."

"I could have done that, but can't since i'll have events coming in from different devices on same tcp port which needs different sourcetypes to be set with regex. i'll need a transforms.conf to set sourcetype."

0 Karma

mw
Splunk Employee
Splunk Employee

I'm not going to argue about it. It's possible that you haven't been clear about what you want to do, but I'm not incorrect.

"The Input phase acquires the raw data stream from its source and annotates it with source-wide keys. The keys are values that apply to the entire input source overall, and includes the host, source, and sourcetype of the data. The keys may also include values that are used internally by Splunk such as the character encoding of the data stream, and values that can control later processing of the data, such as the index into which the events should be stored."

0 Karma

mw
Splunk Employee
Splunk Employee

No. inputs.conf on the indexer will only affect inputs on the indexer. There are cases where you might want to change the sourcetype prior to writing data to disk on the indexer, but that would use props.conf and transforms.conf. In the case where you have a forwarder running a scripted input, you should set the correct source and sourcetype values on that forwarder through inputs.conf.

This link may help a bit: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F

0 Karma

ephemeric
Contributor

I'm thinking to set the sourcetype in inputs.conf?

0 Karma

mw
Splunk Employee
Splunk Employee

Can you explain what you're trying to accomplish with this? Why do you think you need 2 separate ports?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...