All Apps and Add-ons

Splunk Add-on for Microsoft Windows: How to modify the source on data from Windows universal forwarder?

DFresh4130
Path Finder

I installed the universal forwarder on a couple Windows 2K3 servers a week ago. During the installation wizard I told it to monitor the IIS log directory. Data is coming in fine, but I'd like to tweak the settings a little for my searches. One thing I'd like to change is the source value the data has associated with it. It's currently defaulting to the log file name the entry came from. How can I go about changing this value to something static like the domain, www.example.com? There is no \etc\apps\search\local\inputs.conf at the moment. I see the below entry in the \etc\apps\Splunk_TA_windows\local\inputs.conf currently which I'm guessing was created when I used the installation wizard to specify the directory to monitor. Should I just edit this file or create the inputs.conf in the \apps\search\local directory like the documentation says?

[monitor://C:\WINDOWS\system32\LogFiles\W3SVC1]
disabled = false
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Do edit the file in Splunk_TA_windows. Splitting up the settings for one monitor stanza into two inputs.conf files will only cause confusion down the line.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Do edit the file in Splunk_TA_windows. Splitting up the settings for one monitor stanza into two inputs.conf files will only cause confusion down the line.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...