Hi,
I am new to Splunk and I need your guidance. We have Splunk landscape with deployment server, cluster master, 3 indexers and 2 searchheads. Recently we are getting unclassified data into syslog index and as per the requirement they should go to different index. After looking into splunk help, I have updated input.conf in deployment server with the new hosts with the index that are sending data. I need your help on what other steps are required to do this set up and restarting the splunk. One of colleagues suggested to apply bundle(?) to peers and I don't know what does it mean. Do I need to do anything in cluster master? Once done, how and where to do Splunk restart? Please help me with this.
Thanks,
Ramesh
If it is coming through syslog then likely you have a Universal Forwarder somewhere running syslog-ng. Go to CLI on your DS in the $SPLUNK_HOME/etc/deployment-apps
directory and find the app that contains the inputs.conf
for your sourcetype. You can use a command like this:
find /opt/splunk/etc/deployment-apps -name inputs.conf -exec grep -il YourSourcetypeNameHere {} \;
Now that you know what the name of your app is (it is the directory after deployment-apps
, you can go to your DS GUI under Forwarder Management
and see what serverclass(es) have this app and also what hosts. These hosts are your syslog servers.
Go to your syslog servers and reconfigure syslog-ng.conf to split out your stuff. Make the associated changes to theinputs.conf
in the app we just found. Reload the syslog-ng configuration changes and then do /opt/splunk/bin/splunk reload deploy-server
to make your splunk changes go out.
If it is coming through syslog then likely you have a Universal Forwarder somewhere running syslog-ng. Go to CLI on your DS in the $SPLUNK_HOME/etc/deployment-apps
directory and find the app that contains the inputs.conf
for your sourcetype. You can use a command like this:
find /opt/splunk/etc/deployment-apps -name inputs.conf -exec grep -il YourSourcetypeNameHere {} \;
Now that you know what the name of your app is (it is the directory after deployment-apps
, you can go to your DS GUI under Forwarder Management
and see what serverclass(es) have this app and also what hosts. These hosts are your syslog servers.
Go to your syslog servers and reconfigure syslog-ng.conf to split out your stuff. Make the associated changes to theinputs.conf
in the app we just found. Reload the syslog-ng configuration changes and then do /opt/splunk/bin/splunk reload deploy-server
to make your splunk changes go out.
Thanks woodcock and sorry for the late response as I was on long vacation. As you mentioned (actually I forgot to mention that in my question), the logs are coming through syslog. I did the config in syslog and restarted the Syslog server and it worked. Much appreciated.
Thanks,
ramesh