- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Inputs, inputs, everywhere.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am installing Splunk universal forwarder on Windows machines as an agent to forward my data to the indexer. It appears to create its own app folder (MSICreated) if you specify some install-time switches that indicate you want to monitor some basic things like event logs and perfmon. In addition to that there is an inputs.conf in \etc\apps\SplunkUniversalForwarder\local, one in \etc\apps\SplunkUniversalForwarder\default, and one more at \etc\system\local\inputs.conf, all of which have similarly configured entries for Event Logs. I'm all for the belt and suspenders approach, but it's confusing to find the same entries all over hell's half acre. If I want to disable one or add another, the only way to be sure I'm getting what I want is to edit all those files. After all, one of them might override the others. It's my understanding that entries in local override entries in default, for example. What really concerns me is that I'm not sure whether having entries in four places causes four times the workload for the same event log. Does it? What is best practice here?
Second question. It appears that SplunkUniversalForwarder and the local inputs.conf have the means to gather all the information I'm interested in already. So, do I still need something like Splunk for Windows TA? What does that addon get me that I don't already have for Splunking windows hosts with agent/forwarders? Do I just need it on the Indexer/Searcher in order to parse things successfully or what?
Thanks in advance for any responses.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay here was the answer the Splunk guy gave me regarding the order or ranking of input.conf files:
\etc\system\local\inputs.conf is a sort of master of all. It gets processed last (?) or in any case its settings override all other inputs.conf. Best practice is to have a bare minimum of information there and place all your actual data gathering stanzas (for event logs, perfmons, etc) at \etc\apps\SplunkUniversalForwarder\default\inputs.conf. The deployment server governs that file so pushing changes for all servers would be easier. And obviously if you wanted one-off stanzas for single machines here and there you would add them to \etc\apps\SplunkUniversalForwarder\local\inputs.conf.
The Splunk for Windows TA is just of the Searcher part of your infrastructure; you don't deploy it out to agent/forwarders. Apologies if I got the jargon wrong. I'm a Splunk noob.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay here was the answer the Splunk guy gave me regarding the order or ranking of input.conf files:
\etc\system\local\inputs.conf is a sort of master of all. It gets processed last (?) or in any case its settings override all other inputs.conf. Best practice is to have a bare minimum of information there and place all your actual data gathering stanzas (for event logs, perfmons, etc) at \etc\apps\SplunkUniversalForwarder\default\inputs.conf. The deployment server governs that file so pushing changes for all servers would be easier. And obviously if you wanted one-off stanzas for single machines here and there you would add them to \etc\apps\SplunkUniversalForwarder\local\inputs.conf.
The Splunk for Windows TA is just of the Searcher part of your infrastructure; you don't deploy it out to agent/forwarders. Apologies if I got the jargon wrong. I'm a Splunk noob.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
For the concerns you raised there are some explanations which will clear your doubts.
For the first part, if you have multiple .conf files with similar definitions as well splunk will then check precedence and take the conf file having the higher precedence i.e. the app folder. The local folder will be considered for the conf files over the default folder if there is any overlap. If it is confusing you can remove the duplicate entries and specify in the local directory of every app not only in forwarder also indexer,search head.
You can take a look at this documentation:
http://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles
Second part, The TA add-on helps you get the information which is pre-configured. Again it does the thing which you can also do manually through conf files i.e. inputs,perfmon,wmi etc.. So you can safely get rid of it if it doesn't help much. The parsing you can do it on indexer/ search head yourself that can be index/search time, doesn't depend on that app.
Have a look at props.conf, transforms.conf for more insight.
Thanks
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
