input.conf

giorgiovolpini · ‎09-17-2019

HI, I have a Win10 64bit environment with Splunk Enterprise instance and UF instance.

I tried to send data using the File Metadata app to send data from UF (local) to Splunk Ent (local) to test the app with forwarder.

I copied the decompressed folder into SplunkUniversalForwarder/etc/apps and set output and input. I restarted the service but i didn't received data on the main index.

The input.conf configuration file look like this:

input.conf

[file_meta_data://Test]
depth_limit=0
file_hash_limit=500MB
file_path=C:\mypath\DaMonitorare
include_file_hash=0
index=main
interval=2m
only_if_changed=0
recurse=1
disabled=0

The UF works fine using a simple folder monitoring configuration like

[monitor://C:\mypath\tosplunk]
disabled = false
index = main

I have Python 2.7.1 installed on my machine (and also python 3).

Can you help me?

Do you have a guide to install and configure on UF on Windows environment step by step or some suggestions?

Thank you

Giorgio

LukeMurphey · ‎09-17-2019

That app requires Python to execute. This means you either need to install Python 2.7 or use a heavy forwarder.

giorgiovolpini · ‎09-18-2019

Thank you for your answer,

but I installed Python 2.7.15 (installation folder "C:\Python27") and configured the "path" environment variable (C:\Python\python).

I tried with 64 and 32 bit python version, but in both cases I had the same error on UF splunkd log file:

"09-18-2019 10:47:10.099 +0200 ERROR ModularInputs - Introspecting scheme=file_meta_data: Unable to run "python "C:\Program Files\SplunkUniversalForwarder\etc\apps\file_meta_data\bin\file_meta_data.py" --scheme": child failed to start: The system cannot find the file specified.
09-18-2019 10:47:10.356 +0200 WARN UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts
09-18-2019 10:47:10.356 +0200 ERROR ModularInputs - Unable to initialize modular input "file_meta_data" defined in the app "file_meta_data": Introspecting scheme=file_meta_data: Unable to run "python "C:\Program Files\SplunkUniversalForwarder\etc\apps\file_meta_data\bin\file_meta_data.py" --scheme": child failed to start: The system cannot find the file specified.."

Do you have some suggestions?

Thank you

Giorgio

LukeMurphey · ‎09-18-2019

You might just want to use a Heavy Forwarder. This includes Python and should work straight-away.

giorgiovolpini · ‎09-19-2019

Thank you,

but i need to use a Universal Forwarder for many reasons.

I'm testing the app locally, so it could be an environment issue (I also have a Splunk Enterprise instance to develop dashboard and apps on my machine).

However I tried on other windows machine (Win10 64bit + python 2.7.15 installed) with the same error.

Have you ever installed and tested the app with UF on a windows 10 OS? (or on nix environment)

Thank you

Giorgio

LukeMurphey · ‎09-19-2019

I have tested it and I know other people are using it with a UF. I also have unit tests which verify that the functionality works with non-Splunk Python. I checked and re-ran them today and they passed.

giorgiovolpini · ‎09-20-2019

Thank you,

so it should be my environment, I will try again.

In any cases, the steps to follow are:
1) Install and configure UF to send data to an Indexer
2) Install Python 2.7.15 (on c:\Python27)
3) Unzip the app into SplunkUniversalForwarder\etc\apps\
4) Add configuration into input.conf file (I used the input.conf in the UF search app folder)
5) Restart the UF

Is it correct?

Thanks a lot

giorgiovolpini · ‎09-20-2019

SOLVED||

The problem was the "path" system evironment variable!

I setted the variable with a wrong path.

Now it works fine

Thanks

Universal Forwarder: How to install app and configure input.conf?

input.conf

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...