All Apps and Add-ons

Where to add a file monitor input to monitor a Syslog log and where would it be best to define the input and associated index?

mshilston
Path Finder

Hi,

I have a best practice question around index creation.

I'm planning on having data come from both Windows Event Logs and Syslog sources.

The Splunk_TA_windows addon nicely compartmentalizes the index and input config files that are required in a folder.

If I then wanted to add a file monitor input to monitor a Syslog log, where would it be best to define the input and associated index? I know it will work if I put the required config files in etc/system/local but should I be looking to create an app folder or the like?

Many thanks,

M

0 Karma

mshilston
Path Finder

Quick update:

I've got a situation now where I've installed the Splunk_TA_windows app on my Search Head, Indexers and Forwarders. That is, each instance has the full Splunk_TA_windows folder located under /etc/apps/ and then I've copied an 'inputs.conf' and 'indexes.conf' into the /local/ folder under the App and edited the index location and enabled the inputs.

I have also created a Syslog app, named Splunk_TA_syslog and placed that in the /etc/apps/ folder.

I know have files in multiple places;
- /etc/apps/Splunk_TA_windows/local/indexes.conf (to define WIndows indexes)
- /etc/apps/Splunk_TA_windows/local/inputs.conf (to define Windows inputs)
- /etc/apps/Splunk_TA_syslog/local/indexes.conf (to define syslog Indexes)
- /etc/apps/Splunk_TA_syslog/local/inputs.conf (to define syslog inputs)

But also;
- /etc/system/local/outputs.conf (to define global outputs for instances)
- /etc/system/local/server.conf (to define global SSL settings)

I've been basically defining what I consider 'global' settings within the system/local folders and app based settings at the app folder level. Is that correct? It is best practice?

0 Karma

adonio
Ultra Champion

Hello there,

if you are using forwarders to send data to splunk, you can do the following:
create a small app, create inputs.conf file and place in that apps local folder, configure the inputs t monitor syslog data log path file.
make sure you have an index set up for the data and htat your new inputs.conf reflects the index.
place the app on your forwarder (or splunk instance) in /etc/app/ directory.
restart forwarder.

enjoy the new syslog data

hope it helps

mshilston
Path Finder

OK thanks, so it sounds like most inputs are best configured via an App folder - I know the highest weighted values are in the system/local folder, it's more my understanding of when and when not to use this location!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...