Deployment Architecture

Restarting the Splunk after updating input.conf

rkilari
Engager

Hi,
I am new to Splunk and I need your guidance. We have Splunk landscape with deployment server, cluster master, 3 indexers and 2 searchheads. Recently we are getting unclassified data into syslog index and as per the requirement they should go to different index. After looking into splunk help, I have updated input.conf in deployment server with the new hosts with the index that are sending data. I need your help on what other steps are required to do this set up and restarting the splunk. One of colleagues suggested to apply bundle(?) to peers and I don't know what does it mean. Do I need to do anything in cluster master? Once done, how and where to do Splunk restart? Please help me with this.

Thanks,
Ramesh

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

If it is coming through syslog then likely you have a Universal Forwarder somewhere running syslog-ng. Go to CLI on your DS in the $SPLUNK_HOME/etc/deployment-apps directory and find the app that contains the inputs.conf for your sourcetype. You can use a command like this:

find /opt/splunk/etc/deployment-apps -name inputs.conf -exec grep -il YourSourcetypeNameHere {} \;

Now that you know what the name of your app is (it is the directory after deployment-apps, you can go to your DS GUI under Forwarder Management and see what serverclass(es) have this app and also what hosts. These hosts are your syslog servers.

Go to your syslog servers and reconfigure syslog-ng.conf to split out your stuff. Make the associated changes to theinputs.conf in the app we just found. Reload the syslog-ng configuration changes and then do /opt/splunk/bin/splunk reload deploy-server to make your splunk changes go out.

View solution in original post

woodcock
Esteemed Legend

If it is coming through syslog then likely you have a Universal Forwarder somewhere running syslog-ng. Go to CLI on your DS in the $SPLUNK_HOME/etc/deployment-apps directory and find the app that contains the inputs.conf for your sourcetype. You can use a command like this:

find /opt/splunk/etc/deployment-apps -name inputs.conf -exec grep -il YourSourcetypeNameHere {} \;

Now that you know what the name of your app is (it is the directory after deployment-apps, you can go to your DS GUI under Forwarder Management and see what serverclass(es) have this app and also what hosts. These hosts are your syslog servers.

Go to your syslog servers and reconfigure syslog-ng.conf to split out your stuff. Make the associated changes to theinputs.conf in the app we just found. Reload the syslog-ng configuration changes and then do /opt/splunk/bin/splunk reload deploy-server to make your splunk changes go out.

rkilari
Engager

Thanks woodcock and sorry for the late response as I was on long vacation. As you mentioned (actually I forgot to mention that in my question), the logs are coming through syslog. I did the config in syslog and restarted the Syslog server and it worked. Much appreciated.

Thanks,
ramesh

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...