Getting Data In

Override source key in inputs.conf

mixolydian
Path Finder

Hello,

We are helping our indexers get through a bout of too-many-sources. We've applied the short-term solution (a script to trim the number of sources), and are looking at the long-term fix to employ props/transforms changes to normalize the source names through regex. It would seem (to this relative novice) that setting the source in inputs.conf would be an easy way to limit the numbers of sources, but the inputs.conf documentation indicates that this is a Bad Idea:

NOTE: Overriding the source key is generally not recommended.  Typically, the input layer will provide a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retreived.  Please consider use of source types, tagging, and search wildcards before overriding this value.

Apologies if I'm being dim here, but could someone please explain what the pitfalls are here? If our apps are not using the source key specifically, is overriding it a viable option? I appreciate any insight you might have. Thanks.

1 Solution

gekoner
Communicator

mixolydian,

I'm not sure what the pitfalls would be other than what is mentioned in the NOTE. I can tell you I have used Splunk extensively for 3+ years and I always edited the Source of inputs that do not meet my needs.
You have already stated a strong case for editing your Sources values, which having too many is a great reason to edit this.
I have never seen any fallout from doing this. I think the caution comes as a reminder to what you will be doing and the what the ramifications might be.

View solution in original post

gekoner
Communicator

mixolydian,

I'm not sure what the pitfalls would be other than what is mentioned in the NOTE. I can tell you I have used Splunk extensively for 3+ years and I always edited the Source of inputs that do not meet my needs.
You have already stated a strong case for editing your Sources values, which having too many is a great reason to edit this.
I have never seen any fallout from doing this. I think the caution comes as a reminder to what you will be doing and the what the ramifications might be.

mixolydian
Path Finder

Appreciate the concern, gekoner. We released a new version of the app with the source set implicitly and the indexers are much happier now, with no bad side-effects for the app. Thanks for your help!

gekoner
Communicator

mixolydian, I'm curious if everything worked out?

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...