Getting Data In

new to splunk - need help with input.conf

rsingh
Explorer

i am new to splunk that is already setup on our servers, my manager asked if i can edit the input.conf file so we can start deploying to workstations. where is the correct location i need to edit the file? also what option i can edit.

Thanks

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

It depends upon your Splunk Architecture/topology

1) If you've single standalone Splunk server performing every role, including that of a Forwarder (data monitoring), you'd find your inputs.conf on $SPLUNK_HOME/etc/system/local/ OR $SPLUNK_HOME/etc/apps/<>/local/ (preferred method for portability). Restart Splunk after making any changes.

2) If you've distributed Splunk environment and setup a deployment servers to deploy configurations to your forwarders, then

a) On Deployment server, you'll find inputs.con on $SPLUNK_HOME/etc/deployment-apps/<>/local/. IF you make changes to it, either reload deployment server OR restart it. More info here http://docs.splunk.com/Documentation/Splunk/6.4.3/Updating/Deploymentserverarchitecture

b) On Forwarders, it will in $SPLUNK_HOME/etc/apps/<>/local/. Ideally, the deployment server (serverclass.conf) should be configured in a way to restart the Forwarder automatically when a new content is received.

3) If you've forwarders not being managed by Deployment server, the you'd find your inputs.conf on $SPLUNK_HOME/etc/system/local/ OR $SPLUNK_HOME/etc/apps/<>/local/ on the Forwarder. Restart Splunk after making any changes.

View solution in original post

rsingh
Explorer

we have a single Splunk Server and i installed Splunk Forwarder on a workstation to test the input files. how can i point the input file to the workstation, do i even need to do that?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

It depends upon your Splunk Architecture/topology

1) If you've single standalone Splunk server performing every role, including that of a Forwarder (data monitoring), you'd find your inputs.conf on $SPLUNK_HOME/etc/system/local/ OR $SPLUNK_HOME/etc/apps/<>/local/ (preferred method for portability). Restart Splunk after making any changes.

2) If you've distributed Splunk environment and setup a deployment servers to deploy configurations to your forwarders, then

a) On Deployment server, you'll find inputs.con on $SPLUNK_HOME/etc/deployment-apps/<>/local/. IF you make changes to it, either reload deployment server OR restart it. More info here http://docs.splunk.com/Documentation/Splunk/6.4.3/Updating/Deploymentserverarchitecture

b) On Forwarders, it will in $SPLUNK_HOME/etc/apps/<>/local/. Ideally, the deployment server (serverclass.conf) should be configured in a way to restart the Forwarder automatically when a new content is received.

3) If you've forwarders not being managed by Deployment server, the you'd find your inputs.conf on $SPLUNK_HOME/etc/system/local/ OR $SPLUNK_HOME/etc/apps/<>/local/ on the Forwarder. Restart Splunk after making any changes.

inventsekar
Ultra Champion

There is an inputs.conf in $SPLUNK_HOME/etc/system/default/. To set custom
configurations, place an inputs.conf in $SPLUNK_HOME/etc/system/local/.

assuming /opt/splunk as your splunk home,

/opt/splunk/etc/system/local/inputs.conf is what your inputs.conf file.

You must restart Splunk to enable new configurations.
for full info about inputs.conf,
https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Inputsconf

you may check this page for new data on boarding tasks..
http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Getstartedwithgettingdatain

gcusello
SplunkTrust
SplunkTrust

I suggest to you to follow one of the Tutorial starting from
http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...