Re: Splunk Add-on for Microsoft Windows: inputs.co...

mikesangray · ‎01-28-2016

I'd like to set some [default] or [global] settings for inputs.conf files on my Windows forwarders using the TA. For example, I want to set index = windesktops as the default index, but each time I try this, I stop getting data...it looks like I need to specify the index for every stanza in my inputs.conf file for the Windows TA...is this true? With registry keys, etc., there will be A LOT of stanzas in this file.

Jeremiah · ‎01-28-2016

You should be able to specify a default stanza in an inputs.conf file like this:

[default]
index=windesktops

[WinEventLog://Application]
disabled = 0 
... rest of your stanzas ...

mikesangray · ‎01-29-2016

Yeah, I know...hence my comment "but each time I try this, I stop getting data". I've just tested again this morning, same result. When I use a [default] stanza where I specify the index I stop getting data. I have to change inputs.conf back to having no [default] stanza and specifying the index in each stanza individually.

DOESN'T WORK
[default]
index = windesktops

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

...snip...

DOES WORK
[WinEventLog://Application]
disabled = 0
index = windesktops

[WinEventLog://Security]
disabled = 0
index = windesktops

[WinEventLog://System]
disabled = 0
index = windesktops

...snip...

Jeremiah · ‎01-29-2016

What output do you get from running btool? With/without the default stanza?

splunk cmd btool inputs list

The output should be identical regardless of how you set the index; ie, your default stanza should be interpreted correctly and each input statement should show the "index = windesktops" setting, even though its not set explicitly. Do you have different input types, or are they all WinEventLog? You might try creating a monitor input and see if it behaves differently.

mikesangray · ‎01-29-2016

Running splunk cmd btool inputs list using each version of my inputs.conf results in the same output (confirmed by copy/paste into UltraCompare).

I'm going to update my SE and possibly open a tech. support case. I need some fresh eyes on this. It isn't behaving the way it should and it's either my fault/misunderstanding/misconfiguration or there's something wrong with how the Splunk_TA_windows operates. Either way I need to get this ready as we're looking to start splunking hundreds...possibly thousands of desktops.

Also, FYI for anyone following along - if you want to get just the stanza headers using btool the cmd is:
splunk cmd btool inputs list | grep "[" <- there needs to be a backslash in front of the [ the backslash is getting filtered out by this forum posting tool.

jplumsdaine22 · ‎01-29-2016

To put actual text into the forum insert a new line and indent 4 spaces

indent 4 spaces and have an empty line above

Jeremiah · ‎01-29-2016

The fact that the stanzas are the same in both btool outputs points towards a bug, though I'm really surprised this wasn't seen before. I can tell you we do this on linux forwarders and it works fine.

mikesangray · ‎01-29-2016

Agreed that this is surprising. I would have thought someone would have caught this as well...which is why I'm not ready to say it isn't my fault. I'll open a case and alert my SE. I'll post back once I have more information.

timothywatson · ‎10-30-2018

So what was the outcome? Did you also have to update indexes.conf?

Splunk Add-on for Microsoft Windows: inputs.conf [default] and [global] not working. Do I need to specify the index for every stanza?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms