The universal folder has two default nf files. Splunk Enterprise ships with a single default nf file, located in $SPLUNK_HOME/etc/system/default. No matter how many nf files the forwarder has and where they reside, the forwarder combines all their settings, using the rules of location precedence, as described in Configuration file precedence in the Admin Manual. For details on configuring inputs, see Add data and configure inputs in Getting Data In.Ī single forwarder can have multiple nf files (for instance, one located in an apps directory and another in /system/local). To specify what data the forwarder should collect, you must separately configure the inputs. The topics describing various topologies, such as load balancing and data routing, provide detailed examples on configuring nf to support those topologies.Īlthough nf is a critical file for configuring forwarders, it only addresses where the forwarder should send data. While you can specify some output configurations through Splunk Web (heavy/light forwarders only) or the CLI, most advanced configuration settings require that you edit nf. but that's up to you.The nf file defines how forwarders send data to receivers. it doesn't hurt anything to just update both spots. that's index time and would be on the indexer.Īgain. If you changed something about line breaking. in this case, a search time extraction needs to be on the search head. Now, WHERE your directive would be applied would depend on what it was. by simply adding that one directive.įor example, one of the stanzas in nf in default is this: ĮXTRACT-websphere_DumpRoutineSubComponents = (?i)0SECTION\s*(?P*)īREAK_ONLY_BEFORE = \[.+.\sĮXTRACT-websphere_my custom extraction= (?i)blahblahblah.*(?P*)\sblah\sblah so it is implied.īut if you add a nf in `local' you can add to what is in default. Usually people don't include the disabled=false in a nf or nf stanza, as that is the default setting. you might be wondering "what did I do? and why?" is to just not have the nf (in default) at all. To disable that I create an nf file in $SPLUNK_HOME/etc/apps/splunk_app_was/local/Īnd now the disbaled=false under the stanza in default, is set to true and that stanza is disabled. ThawedPath = $SPLUNK_DB/websphere/thaweddb If you want to add something or change something. $SPLUNK_HOME/etc/apps/splunk_app_was/default/ on the indexer and search head can be identical. The files that "don't belong" or "aren't really needed" will be ignored. The doc could be more clear, but what they're saying is.Ĭopy the app. since it's only communicating with the indexer so if you did have nf on the search head, it would remain empty and harm nothing (in fact, there are benefits to that because you can then add or restrict usage of that index when you create roles and users) It will only send that data to the indexer. The forwarder is told that it should send data to the index "websphere". Your forwarder points the data to your indexer. Splunk will use what it need depending upon whether your additions are search time or index time behaviors. again putting your changes on both indexer and search head will harm nothing. $SPLUNK_HOME/etc/apps/splunk_app_was/local/ So the answer (without knowing what you want to do) is that any additions to the existing nf and nf would be in If you look at nf, based on the sources, the app creates sourcetypes and has both EXTRACT (search time) and TRANSFORMS (index time) extractions. the nf will create an empty index on the search head (and harm nothing) and nf and nf will be ignored on the indexer. $SPLUNK_HOME/etc/apps/splunk_app_was/default/
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |