You will be able to restrict user access to a particular set of data/servers and also you can search data from a set of hosts/forwarders easily by just index=abc-productionĪnother way is to add tags for all your servers so that you can categorize servers into different category. There are many advantages of having different indexes for your production and development (just assuming that you have separate environment or different user base). Repeat the same for your development environment. This will be the same for all the forwarders which are under category production. What would a working example of 'those' files look like ?Įasiest way to achieve this is to create different indexes for your different environments for eg: one index for production, one for development etc and forward the data from your forwarder to respective indexes.įor example, your product-ABC-production-servers will forward data to an index called abc-production and the nf will be What other file(s) do I need to edit to make the tagging/annotating happen ? What would a typical nf file entry for forwarding /var/log/messages look like ? based on that categorization/tagging/bucketing/whatever-word-you-want-to-use ? How do I define things on the forwarder computers to have all the data from that system categorized so we can filter our searches etc. The most efficient way to do this is to define a separate stanza in nf for each of the 5 inputs. We tend to try to notionally categorize each VM into groups that make sense for us (ie, product-ABC-production-servers, or product-XYZ-development-servers or the like). The problem - I have a variety of Linux VMs running universal forwarders, forwarding syslogs and custom logs and the like to the central Splunk server we've set up. I am getting nowhere fast trying to wrap my mind around the circularly-referencing docs here none of which having CLI examples at all.
#Splunk inputs.conf add application tag full#
I need to do something that I'd hope is simple, with a full example really needed.
I'm totally lost trying to decipher the impossibly dense abstract documentation here. Please refer to Configure Live Monitoring Inputs for the Splunk Add-on for Box for steps for configuring live monitoring inputs.
0 kommentar(er)
