Hi,
I have a best practice question around index creation.
I'm planning on having data come from both Windows Event Logs and Syslog sources.
The Splunk_TA_windows
addon nicely compartmentalizes the index and input config files that are required in a folder.
If I then wanted to add a file monitor input to monitor a Syslog log, where would it be best to define the input and associated index? I know it will work if I put the required config files in etc/system/local
but should I be looking to create an app folder or the like?
Many thanks,
M
Quick update:
I've got a situation now where I've installed the Splunk_TA_windows app on my Search Head, Indexers and Forwarders. That is, each instance has the full Splunk_TA_windows folder located under /etc/apps/ and then I've copied an 'inputs.conf' and 'indexes.conf' into the /local/ folder under the App and edited the index location and enabled the inputs.
I have also created a Syslog app, named Splunk_TA_syslog and placed that in the /etc/apps/ folder.
I know have files in multiple places;
- /etc/apps/Splunk_TA_windows/local/indexes.conf (to define WIndows indexes)
- /etc/apps/Splunk_TA_windows/local/inputs.conf (to define Windows inputs)
- /etc/apps/Splunk_TA_syslog/local/indexes.conf (to define syslog Indexes)
- /etc/apps/Splunk_TA_syslog/local/inputs.conf (to define syslog inputs)
But also;
- /etc/system/local/outputs.conf (to define global outputs for instances)
- /etc/system/local/server.conf (to define global SSL settings)
I've been basically defining what I consider 'global' settings within the system/local folders and app based settings at the app folder level. Is that correct? It is best practice?
Hello there,
if you are using forwarders to send data to splunk, you can do the following:
create a small app, create inputs.conf file and place in that apps local folder, configure the inputs t monitor syslog data log path file.
make sure you have an index set up for the data and htat your new inputs.conf reflects the index.
place the app on your forwarder (or splunk instance) in /etc/app/ directory.
restart forwarder.
enjoy the new syslog data
hope it helps
OK thanks, so it sounds like most inputs are best configured via an App folder - I know the highest weighted values are in the system/local folder, it's more my understanding of when and when not to use this location!