Solved: Stanzas for log file paths in inputs.conf for mult...

timm747747 · ‎03-01-2017

I have 6 different log file paths with many log file names across ~20 hosts in 6 different environments. All log paths don't apply to all hosts, but is it ok to have one generic inputs.conf containing the list of all of the paths and apply that one inputs to the 20 hosts? I wasn't sure if this would tie up resources with the agent or not if it kept looking for a path/file that didn't exist.

Thanks!

Tim

maciep · ‎03-02-2017

I don't see why not. As long as you limit/eliminate the number recursive wildcards in the file paths, I think it should be fine.

However, you may want to break them up into different TAs if it makes sense. If there's little or no overlap between type of log and the host, then you can probably split them up. It might make management a bit easier, especially as your environment grows. You definitely don't want to manage all of your files in one big inputs.conf just because it was easier to set it up that way.

View solution in original post

maciep · ‎03-02-2017

I don't see why not. As long as you limit/eliminate the number recursive wildcards in the file paths, I think it should be fine.

However, you may want to break them up into different TAs if it makes sense. If there's little or no overlap between type of log and the host, then you can probably split them up. It might make management a bit easier, especially as your environment grows. You definitely don't want to manage all of your files in one big inputs.conf just because it was easier to set it up that way.

Stanzas for log file paths in inputs.conf for multiple hosts that don't apply to all hosts

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases