Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Single inputs.conf across multiple fowarder - How to

pl123
Path Finder
‎12-23-2010 06:02 AM

Hi there,

My Splunk environment is made up from 1 Deployment Server, 1 Indexer and 20+ light forwarders.

How could I go about setting up a single inputs.conf which is pushed from the deployment server to the forwarders. Each of the forwarders has a unique set of logs in various locations. I do not want to manage a single log file for each forwarder, but would rather have a single conf file which lists all the locations for various machines, with each machine only looking at the portion in the conf list which is relevant to itself (ie locations blocked via hostname)

Ideally I would have a file like this

inputs.conf

srv1
monitor://blah
...
monitor://basddsfd
...
monitor://dfsdf
...


srv2 
monitor://gdfg
....

etc

is this possible?

Cheers

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎12-23-2010 04:57 PM

Yes. Just include all the monitored paths in the single indexes.conf. There's no harm in monitoring a path that doesn't exist.

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎12-23-2010 04:57 PM

Yes. Just include all the monitored paths in the single indexes.conf. There's no harm in monitoring a path that doesn't exist.

Reply
Solved! Jump to solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎12-27-2010 06:47 PM

Not really. We'll stat the path every few seconds, which should be negligible for tens of thousands of paths.

0 Karma
Reply
Solved! Jump to solution

pl123
Path Finder
‎12-23-2010 09:45 PM

Would this not cause significant overhead on the machines that dont have the paths available to them?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...