All Apps and Add-ons

Splunk Add-on for Microsoft Windows: How to modify the source on data from Windows universal forwarder?

DFresh4130
Path Finder

I installed the universal forwarder on a couple Windows 2K3 servers a week ago. During the installation wizard I told it to monitor the IIS log directory. Data is coming in fine, but I'd like to tweak the settings a little for my searches. One thing I'd like to change is the source value the data has associated with it. It's currently defaulting to the log file name the entry came from. How can I go about changing this value to something static like the domain, www.example.com? There is no \etc\apps\search\local\inputs.conf at the moment. I see the below entry in the \etc\apps\Splunk_TA_windows\local\inputs.conf currently which I'm guessing was created when I used the installation wizard to specify the directory to monitor. Should I just edit this file or create the inputs.conf in the \apps\search\local directory like the documentation says?

[monitor://C:\WINDOWS\system32\LogFiles\W3SVC1]
disabled = false
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Do edit the file in Splunk_TA_windows. Splitting up the settings for one monitor stanza into two inputs.conf files will only cause confusion down the line.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Do edit the file in Splunk_TA_windows. Splitting up the settings for one monitor stanza into two inputs.conf files will only cause confusion down the line.

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!