topic Re: Sample Windows Data for Input.conf in Getting Data In

Sample Windows Data for Input.conf

redsox07928 — Fri, 23 Jul 2021 16:44:02 GMT

Does anyone have a sample inputs.conf for capturing Windows data such as CPU utilization, memory utilization and disk utilization? Just looking for the basics. I could not find any good baseline samples.

Thank you very much!

Re: Sample Windows Data for Input.conf

richgalloway — Fri, 23 Jul 2021 17:11:54 GMT

The default inputs.conf in the UF already contains Windows perfmon inputs. You just have to enable the inputs you want.

Re: Sample Windows Data for Input.conf

redsox07928 — Mon, 26 Jul 2021 01:05:09 GMT

Any chance you have a copy? I inherited this environment and don't have any place to install a universal forwarder. All the inputs.conf have been "cleaned".

Re: Sample Windows Data for Input.conf

richgalloway — Mon, 26 Jul 2021 12:31:42 GMT

You don't need to install the UF to get the file. Just download the .tgz file from splunk.com and extract the file from it.

Also, one should not change .conf files in default directories. Any "cleaning" should be done in the local directory.

Re: Sample Windows Data for Input.conf

redsox07928 — Wed, 04 Aug 2021 21:40:57 GMT

maybe I am just clueless but I could not extract the file

Re: Sample Windows Data for Input.conf

richgalloway — Thu, 05 Aug 2021 00:10:34 GMT

Try this. Replace splunk-8.1.0-8c3d4d4c1386-Linux-x86_64.tgz with the name of your tarball. It will create a splunk/etc/system/default filepath in the current directory so be careful where you run it.

tar -zxf splunk-8.1.0-8c3d4d4c1386-Linux-x86_64.tgz splunk/etc/system/default/inputs.conf

Re: Sample Windows Data for Input.conf

redsox07928 — Thu, 05 Aug 2021 02:21:49 GMT

I am on Windows so I don't even get a tar ball and I don't have admin rights anywhere to even run an install. And I checked out the inputs.conf in the default directory and my predecessors did modify them!!

Re: Sample Windows Data for Input.conf

richgalloway — Thu, 05 Aug 2021 12:11:16 GMT

If you have access to splunk.com then you have access to a tarball. Download the appropriate version and use 7-zip to extract the file.

Re: Sample Windows Data for Input.conf

isoutamo — Thu, 05 Aug 2021 12:20:50 GMT

I'm afraid that without Admin rights you couldn't fix the situation/install UF to windows. You need to find someone who can do it and after that you you could use deployment server to modify needed configurations to get files and events into splunk. Here is instructions how to install UF to Windows client. https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller

Personally I prefer to create separate app/TA for deployment server configuration than give that information within UF installation. Just pure UF installation w/o DS parameters then add this TA/app for connect to DS and all needed configurations from DS than updating those locally in UF.

r. Ismo

Re: Sample Windows Data for Input.conf

redsox07928 — Thu, 05 Aug 2021 13:57:12 GMT

I extracted the file which is great. Maybe I am missing the Windows perfmon inputs in the default inputs.conf.

# Version 8.2.1
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file contains possible attributes and values you can use to
# configure inputs, distributed inputs and file system monitoring.

[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup

[blacklist:$SPLUNK_HOME/etc/auth]

[blacklist:$SPLUNK_HOME/etc/passwd]

[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal

[monitor://$SPLUNK_HOME/var/log/watchdog/watchdog.log*]
index = _internal

[monitor://$SPLUNK_HOME/var/log/splunk/license_usage_summary.log]
index = _telemetry

[monitor://$SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log*]
index = _telemetry
sourcetype = splunk_cloud_telemetry

[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[batch://$SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json]
move_policy = sinkhole
index = _introspection
sourcetype = search_telemetry
crcSalt = <SOURCE>
log_on_completion = 0

[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt = <SOURCE>

[batch://$SPLUNK_HOME/var/spool/splunk/tracker.log*]
index = _internal
sourcetype = splunkd_latency_tracker
move_policy = sinkhole

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt = <SOURCE>
time_before_close = 0

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_hec]
sourcetype = stash_hec
move_policy = sinkhole
crcSalt = <SOURCE>

[fschange:$SPLUNK_HOME/etc]
disabled = false
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
start_by_shell = true

[SSL]
# SSL settings
# The following provides modern TLS configuration that guarantees forward-
# secrecy and efficiency. This configuration drops support for old Splunk
# versions (Splunk 5.x and earlier).
# To add support for Splunk 5.x set sslVersions to tls and add this to the
# end of cipherSuite:
# DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA
# and this, in case Diffie Hellman is not configured:
# AES256-SHA:AES128-SHA

sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

allowSslRenegotiation = true
sslQuietShutdown = false

Re: Sample Windows Data for Input.conf

richgalloway — Thu, 05 Aug 2021 14:23:17 GMT

Interesting. It looks like that file changed recently because my 8.1.2 file has a [perfmon] stanza, but yours doesn't.

Re: Sample Windows Data for Input.conf

redsox07928 — Thu, 05 Aug 2021 14:25:11 GMT

Any chance you could post the stanza? That would be much appreciated.

Re: Sample Windows Data for Input.conf

richgalloway — Thu, 05 Aug 2021 16:37:14 GMT

There's not much to it.

[perfmon] interval=300

Re: Sample Windows Data for Input.conf

redsox07928 — Thu, 05 Aug 2021 17:26:36 GMT

Oh I thought it actually had sample counters. I was hoping to use it as a jumping off point.

Re: Sample Windows Data for Input.conf

isoutamo — Thu, 05 Aug 2021 18:41:08 GMT

Was this inputs.conf from server or UF? Based on it’s content I suppose from Linux server?

Re: Sample Windows Data for Input.conf

redsox07928 — Thu, 05 Aug 2021 18:47:22 GMT

I downloaded the tgz for the UCF. I tried to extract the inputs.conf file but it returned that the inputs.conf file was not present. I then downloaded the splunk tgz and got that inputs.conf file from it.

Yes one responder was stating that I should extract the inputs.conf from the tgz which is not used for Windows, it's Linux.

I see where you are going in that why would the Linux inputs.conf file have windows perfmon stats. Now I see that the tgz approach was not practical.

I was just hoping to get a sample stanza that captured Windows perform stats. That's was and still is my goal.

Re: Sample Windows Data for Input.conf

isoutamo — Thu, 05 Aug 2021 18:54:40 GMT

The best approach will be get MS package and install it to any temporary workstation where you have admin access. Then you could see that inputs.conf there and copy needed part from it.
Another option is just check those stanzas from here https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/Inputsconf
There are those options for windows.
r. Ismo

Re: Sample Windows Data for Input.conf

redsox07928 — Thu, 05 Aug 2021 18:59:03 GMT

As I said, in one of the replies here, I do not have admin rights. I did look at that spec as well.

Someone said that the inputs.conf file in the install comes with samples and they just need to be enabled. The spec definitely does not have that.

I was just hoping someone could paste the sample stanza. Seems like a simple option.

Re: Sample Windows Data for Input.conf

isoutamo — Thu, 05 Aug 2021 20:07:25 GMT

Yes, I read that you haven't admin access to that server, but I'm thinking if you have option to install/use any temporary virtual machine for testing etc.

Here is $SPLUNK_HOME\etc\system\default\inputs.conf from one windows workstation.

# Version 8.0.6 # DO NOT EDIT THIS FILE! # Changes to default files will be lost on update and are difficult to # manage and support. # # Please make any changes to system defaults by overriding them in # apps or $SPLUNK_HOME/etc/system/local # (See "Configuration file precedence" in the web documentation). # # To override a specific setting, copy the name of the stanza and # setting to the file where you wish to override it. # # This file contains possible attributes and values you can use to # configure inputs, distributed inputs and file system monitoring. [default] index = default _rcvbuf = 1572864 host = $decideOnStartup evt_resolve_ad_obj = 0 evt_dc_name= evt_dns_name= [blacklist:$SPLUNK_HOME\etc\auth] [blacklist:$SPLUNK_HOME\etc\passwd] [monitor://$SPLUNK_HOME\var\log\splunk] index = _internal [monitor://$SPLUNK_HOME\var\log\watchdog\watchdog.log*] index = _internal [monitor://$SPLUNK_HOME\var\log\splunk\license_usage_summary.log] index = _telemetry [monitor://$SPLUNK_HOME\var\log\splunk\splunk_instrumentation_cloud.log*] index = _telemetry sourcetype = splunk_cloud_telemetry [monitor://$SPLUNK_HOME\etc\splunk.version] _TCP_ROUTING = * index = _internal sourcetype=splunk_version [batch://$SPLUNK_HOME\var\run\splunk\search_telemetry\*search_telemetry.json] move_policy = sinkhole index = _introspection sourcetype = search_telemetry crcSalt = <SOURCE> log_on_completion = 0 [batch://$SPLUNK_HOME\var\spool\splunk] move_policy = sinkhole crcSalt = <SOURCE> [batch://$SPLUNK_HOME\var\spool\splunk\...stash_new] queue = stashparsing sourcetype = stash_new move_policy = sinkhole crcSalt = <SOURCE> [fschange:$SPLUNK_HOME\etc] #poll every 10 minutes pollPeriod = 600 #generate audit events into the audit index, instead of fschange events signedaudit=true recurse=true followLinks=false hashMaxSize=-1 fullEvent=false sendEventMaxSize=-1 filesPerDelay = 10 delayInMills = 100 [udp] connection_host=ip [tcp] acceptFrom=* connection_host=dns [splunktcp] route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue acceptFrom=* connection_host=ip [script] interval = 60.0 start_by_shell = false [SSL] # SSL settings # The following provides modern TLS configuration that guarantees forward- # secrecy and efficiency. This configuration drops support for old Splunk # versions (Splunk 5.x and earlier). # To add support for Splunk 5.x set sslVersions to tls and add this to the # end of cipherSuite: # DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA # and this, in case Diffie Hellman is not configured: # AES256-SHA:AES128-SHA sslVersions = tls1.2 cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ecdhCurves = prime256v1, secp384r1, secp521r1 allowSslRenegotiation = true sslQuietShutdown = false [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled = 0 interval = 10000000 source = wmi sourcetype = wmi queue = winparsing persistentQueueSize=200MB # default single instance modular input restarts [admon] interval=60 baseline=0 [MonitorNoHandle] interval=60 [WinEventLog] interval=60 evt_resolve_ad_obj = 0 evt_dc_name= evt_dns_name= [WinNetMon] interval=60 [WinPrintMon] interval=60 [WinRegMon] interval=60 baseline=0 [perfmon] interval=300 [powershell] interval=60 [powershell2] interval=60

As it's from 8.0.6 version it could be little bit different than 8.2.1, so you must check from documentation if there are still something weird.

r. Ismo

Re: Sample Windows Data for Input.conf

redsox07928 — Thu, 05 Aug 2021 21:07:28 GMT

Thank you. So the OOTB inputs.conf really does not have the basic perfmon stuff I was looking for. Thank you for posting that and putting that to bed.

My search continues!!