Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use single inputs.conf across multiple forwarders with different set of monitored directories?

tusharsaran1
Path Finder
‎04-17-2017 12:31 AM

Hi All,

Is it possible to configure inputs.conf in such a way that universal forwarders running on different hosts can read the same file but scan a different set of directories? As an example, we want to create 1 inputs.conf with 3 stanzas . Now we want 3 different forwarders to read the same inputs.conf but monitor data from 1 directory each.
In other words, is it possible to link directory stanzas in inputs.conf with particular forwarders?

Our actual use case is given below:
We have a NFS mounted log directory having ~2000 subdirectories. We want to split the load across 4 universal forwarders with each forwarder scanning ~25% of the sub directories. We want to avoid managing 4 different inputs.conf files. Is that possible?

Reply

jonmargulies
Path Finder
‎04-17-2017 04:17 AM

There is no way to do what you want by just using one inputs.conf file. The closest I could think of would be to have one primary inputs.conf app that defines all the monitoring stanzas and disables them, and then a set of secondary inputs.conf apps, each assigned to just one forwarder, that just enables the appropriate stanzas for that forwarder. But I don't recommend doing that, as it's just another layer of complexity to manage (so now when you change something you have to change it in at least two places instead of one).

In the past, when I've had the need for very complex inputs.conf configurations, with hosts collecting data on behalf of thousands of other hosts, I've had a lot of success with building a spreadsheet that tracked all my inputs and then a Python script that processed the spreadsheet into the inputs.conf file(s) I needed. This had major benefits: I was just editing things in one place (the spreadsheet), which was a lot easier to read, sort, and search than an inputs.conf file; if I needed to change the way things were broken up, I could make the change in the Python script and have it automate the changes downstream; and much lower typo risk. I highly recommend this approach.

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...