I'd like to set some [default] or [global] settings for inputs.conf files on my Windows forwarders using the TA. For example, I want to set index = windesktops as the default index, but each time I try this, I stop getting data...it looks like I need to specify the index for every stanza in my inputs.conf file for the Windows TA...is this true? With registry keys, etc., there will be A LOT of stanzas in this file.
You should be able to specify a default stanza in an inputs.conf file like this:
[default]
index=windesktops
[WinEventLog://Application]
disabled = 0 
... rest of your stanzas ...
Yeah, I know...hence my comment "but each time I try this, I stop getting data". I've just tested again this morning, same result. When I use a [default] stanza where I specify the index I stop getting data. I have to change inputs.conf back to having no [default] stanza and specifying the index in each stanza individually.
DOESN'T WORK
[default]
index = windesktops
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
...snip...
DOES WORK
[WinEventLog://Application]
disabled = 0
index = windesktops
[WinEventLog://Security]
disabled = 0
index = windesktops
[WinEventLog://System]
disabled = 0
index = windesktops
...snip...
What output do you get from running btool? With/without the default stanza?
splunk cmd btool inputs list
The output should be identical regardless of how you set the index; ie, your default stanza should be interpreted correctly and each input statement should show the "index = windesktops" setting, even though its not set explicitly. Do you have different input types, or are they all WinEventLog? You might try creating a monitor input and see if it behaves differently.
Running splunk cmd btool inputs list using each version of my inputs.conf results in the same output (confirmed by copy/paste into UltraCompare).
I'm going to update my SE and possibly open a tech. support case. I need some fresh eyes on this. It isn't behaving the way it should and it's either my fault/misunderstanding/misconfiguration or there's something wrong with how the Splunk_TA_windows operates. Either way I need to get this ready as we're looking to start splunking hundreds...possibly thousands of desktops.
Also, FYI for anyone following along - if you want to get just the stanza headers using btool the cmd is:
   splunk cmd btool inputs list | grep "["   <- there needs to be a backslash in front of the  [  the backslash is getting filtered out by this forum posting tool.
 
					
				
		
To put actual text into the forum insert a new line and indent 4 spaces
indent 4 spaces and have an empty line above
The fact that the stanzas are the same in both btool outputs points towards a bug, though I'm really surprised this wasn't seen before. I can tell you we do this on linux forwarders and it works fine.
Agreed that this is surprising. I would have thought someone would have caught this as well...which is why I'm not ready to say it isn't my fault. I'll open a case and alert my SE. I'll post back once I have more information.
So what was the outcome? Did you also have to update indexes.conf?
