https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88763#M97267 <P>Well, I was just guessing as to why the config did not list. Anyway, I would still suggest that you deploy one app for the DC's and another app for the other Windows hosts.</P> <P>Neat and simple, with little room for confusion.</P> <P>/K</P> Tue, 08 Oct 2013 20:26:55 GMT kristian_kolb 2013-10-08T20:26:55Z https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88760#M97264 <P>I would like to have all Windows servers send all their event logs to my "windows" index, except for the domain controllers. For those, I want just the Security event log to go to the "AD" index. The forwarders are being controlled via a deployment server. I have two inputs.conf files in their own \apps\ directories, but only 1 is being used and even appearing in the "splunk cmd btool inputs list --debug" output. </P> <P><STRONG>C:\Program Files\SplunkUniversalForwarder\etc\apps\ad\local\inputs.conf</STRONG> </P> <PRE><CODE>###### Active Directory "Security" event log ###### [WinEventLog://Security] checkpointInterval = 5 current_only = 0 disabled = 0 index = ad start_from = oldest </CODE></PRE> <P><STRONG>C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf</STRONG></P> <PRE><CODE>[WinEventLog://Security] checkpointInterval = 5 current_only = 0 disabled = 0 index = windows start_from = oldest </CODE></PRE> <P>Currently all DC events are being sent to the "windows" index. Hurmph. I'm pretty sure this is set up correctly, as \ad\ comes before \Splunk_TA_windows\ alphabetically. This behavior is identical across 4 different DCs. I cant seem to find any documentation about conf files being ignored totally and completely. Stumped.</P> <P>Any ideas?</P> Mon, 28 Sep 2020 14:55:33 GMT https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88760#M97264 peterfilardo 2020-09-28T14:55:33Z https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88761#M97265 <P>Though I have not played a lot with configuration file precedence, i.e. knowingly distributed apps with conflicting configs, it seems that you are right in your assumptions. Is the 'ad' app enabled?<BR /> See the app.conf for that app.</P> <P>Other solutions/workarounds;</P> <P>Why not create a separate serverclass for the DC's and create two different apps, where the value for the destination index is the major difference.?</P> <P>Or you can set up a index-time TRANSFORM to rewrite the destination index for the events coming from the DC's.</P> <P>/K</P> Tue, 08 Oct 2013 20:12:11 GMT https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88761#M97265 kristian_kolb 2013-10-08T20:12:11Z https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88762#M97266 <P>the AD app is one of my own creation, the contents of which are local\inputs.conf. Is there a line I need to add to enable it? I'd have thought that app would be put in disabled-apps. I've created and distributed apps for other inputs.conf files and did not explictly enable them in the files, only within the "Forwarder Management" page of the deployment server.</P> Tue, 08 Oct 2013 20:24:23 GMT https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88762#M97266 peterfilardo 2013-10-08T20:24:23Z https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88763#M97267 <P>Well, I was just guessing as to why the config did not list. Anyway, I would still suggest that you deploy one app for the DC's and another app for the other Windows hosts.</P> <P>Neat and simple, with little room for confusion.</P> <P>/K</P> Tue, 08 Oct 2013 20:26:55 GMT https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88763#M97267 kristian_kolb 2013-10-08T20:26:55Z https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88764#M97268 <P>This is a precedence problem, and a not-best-practice issue.<BR /><BR /> Uppercase S takes App precedence over lowercase a. See:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles</A></P> <P>Kristian is right about different serverclasses because it is does not seem right to have conflicting enabled source inputs.</P> Tue, 08 Oct 2013 20:30:23 GMT https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88764#M97268 lukejadamec 2013-10-08T20:30:23Z https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88765#M97269 <P>aah, of course. Uppercase comes before lowercase....</P> Tue, 08 Oct 2013 20:35:23 GMT https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88765#M97269 kristian_kolb 2013-10-08T20:35:23Z https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88766#M97270 <P>uppercase before lower, UGH. totally should have caught that. works now, thanks!</P> Tue, 08 Oct 2013 23:17:53 GMT https://community.splunk.com/t5/Getting-Data-In/inputs-conf-not-being-processed-Windows/m-p/88766#M97270 peterfilardo 2013-10-08T23:17:53Z