https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-scripted-install/m-p/119032#M24719 <P>Does anyone know if it is possible to automatically add the current_only = [0|1] attribute in a scripted Universal Forwarder install? The inputs.conf I am referencing is located here:</P> <P>C:\Program Files (x86)\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf</P> <P>[WinEventLog://Application]<BR /> disabled = 0<BR /> current_only = 1</P> <P>[WinEventLog://Security]<BR /> disabled = 0<BR /> current_only = 1</P> <P>[WinEventLog://System]<BR /> disabled = 0<BR /> current_only = 1</P> Mon, 28 Sep 2020 16:18:43 GMT aberdamy 2020-09-28T16:18:43Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-scripted-install/m-p/119032#M24719 <P>Does anyone know if it is possible to automatically add the current_only = [0|1] attribute in a scripted Universal Forwarder install? The inputs.conf I am referencing is located here:</P> <P>C:\Program Files (x86)\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf</P> <P>[WinEventLog://Application]<BR /> disabled = 0<BR /> current_only = 1</P> <P>[WinEventLog://Security]<BR /> disabled = 0<BR /> current_only = 1</P> <P>[WinEventLog://System]<BR /> disabled = 0<BR /> current_only = 1</P> Mon, 28 Sep 2020 16:18:43 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-scripted-install/m-p/119032#M24719 aberdamy 2020-09-28T16:18:43Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-scripted-install/m-p/119033#M24720 <P>Have you considered rolling out the inputs.conf (and its surrounding app) automatically, using the Splunk Deployment Server or any 3rd party configuration management tool?<BR /> That would not only simplify your scripted install, but would also make future maintenance nightmares disappear.</P> <P>As for your question itself, you can do this from the CLI:</P> <PRE><CODE>splunk _internal call /servicesNS/nobody/Splunk_TA_windows/properties/inputs/WinEventLog%3A%2F%2FSecurity/current_only -post:value 1 -auth admin:pass </CODE></PRE> <P>That should be integrateable into your install script.</P> Thu, 03 Apr 2014 22:35:18 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-scripted-install/m-p/119033#M24720 martin_mueller 2014-04-03T22:35:18Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-scripted-install/m-p/119034#M24721 <P>We are rolling the Universal Forwarder out via SCCM and we have a batch file that looks at the Operating system architecture and writes to the "/etc/system/local inputs.conf" file to monitor the firewall log if it is a Windows 2003 system. Would the splunk_internal call command work with this? If so, where would I insert it? Part of batch:</P> <P>start /wait msiexec /i splunkforwarder-6.msi <BR /> INSTALLDIR="%PROGRAMFILES%\SplunkUniversalForwarder" RECEIVING_INDEXER="server:9997" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 DISPLAY_WINDOWS_TA_DIALOG=1 LAUNCHSPLUNK=0 /quiet</P> Mon, 28 Sep 2020 16:20:36 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-scripted-install/m-p/119034#M24721 aberdamy 2020-09-28T16:20:36Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-scripted-install/m-p/119035#M24722 <P>You'd have to run that after Splunk's installation, and probably only while it's running.</P> <P>It might be easier to add that line to the config file directly from your script, especially if you already are writing to inputs.conf.</P> Tue, 08 Apr 2014 15:31:23 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-scripted-install/m-p/119035#M24722 martin_mueller 2014-04-08T15:31:23Z