Solved: Splunk Add-on for Microsoft Windows: How to modify...

DFresh4130 · ‎10-15-2014

I installed the universal forwarder on a couple Windows 2K3 servers a week ago. During the installation wizard I told it to monitor the IIS log directory. Data is coming in fine, but I'd like to tweak the settings a little for my searches. One thing I'd like to change is the source value the data has associated with it. It's currently defaulting to the log file name the entry came from. How can I go about changing this value to something static like the domain, www.example.com? There is no \etc\apps\search\local\inputs.conf at the moment. I see the below entry in the \etc\apps\Splunk_TA_windows\local\inputs.conf currently which I'm guessing was created when I used the installation wizard to specify the directory to monitor. Should I just edit this file or create the inputs.conf in the \apps\search\local directory like the documentation says?

[monitor://C:\WINDOWS\system32\LogFiles\W3SVC1]
disabled = false

martin_mueller · ‎10-15-2014

Do edit the file in Splunk_TA_windows. Splitting up the settings for one monitor stanza into two inputs.conf files will only cause confusion down the line.

View solution in original post

martin_mueller · ‎10-15-2014

Do edit the file in Splunk_TA_windows. Splitting up the settings for one monitor stanza into two inputs.conf files will only cause confusion down the line.

Splunk Add-on for Microsoft Windows: How to modify the source on data from Windows universal forwarder?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...