My SHC of 3 members is Linux. I need to create an inputs.conf to ingest /var/log/* and send them to my indexer-cluster. _internal data
from all of my servers is being indexed properly so I believe that the data flow is correct. I believe I need to do two things: 1)
create an indexes.conf file on each search head and 2) create an inputs.conf file on each search head.
Step 1) On my deployer, I created /opt/splunk/etc/master-apps/_cluster/local/indexes.conf and executed splunk apply shcluster-bundle
without errrors. This is the contents of indexes.conf.
[linux]
coldPath = $SPLUNK_DB/linux/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/linux/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/linux/thaweddb
I cannot find the indexes.conf file on any of my search heads.
2) I also created /shcluster/apps/locallinux/local/inputs.conf and executed splunk apply shcluter-bundle without errors. This is the contents of inputs.conf.
[monitor:///var/log/messages]
disabled = false
index = linux
sourcetype = syslog
[monitor:///var/log/cron]
disabled = false
index = linux
sourcetype = syslog
Same problem as above, I cannot find the inputs.conf file on any of my search heads.
In a separate, but bigger picture of what I am trying to accomplish, on my License Server and on my Monitoring server, I created a linux index and used the web gui to create the inputs AND I have SPLUNK_HOME/etc/system/local/outputs.conf as below.
[indexAndForward]
index = false
[tcpout]
defaultGroup = DSCA_Indexers
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:DSCA_Indexers]
server=10.20.38.11:9997, 10.20.38.12:9997, 10.20.38.13:9997
My linux information gets to the indexers.
The desired goal is to send ALL Enterprise Server Linux /var/log/* to the indexers.
↧