Archive

Format of configuration files

Communicator

Which of the following is the preferred syntax for setting values in configuration files?
disabled = [true|false] or disabled = [0|1]

The documentation for version 4.3 refers to "true|false". However, we are deploying Windows Lightweight Forwarders using the GUI and the command line and in both cases, the the generated "inputs.conf" file contains diabled = [0 | 1].

If we try to use disabled = [true | false], the inputs.conf file loses all the values as shown below:

[WinEventLog:Application]

[WinEventLog:ForwardedEvents]

[WinEventLog:HardwareEvents]

[WinEventLog:Internet Explorer]

[WinEventLog:Security]

[WinEventLog:Setup]

[WinEventLog:System]

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

Hi steveirogers

the docs state the following:

The Security, Application, and System event log inputs are enabled by 
default.  To disable an input type, comment it out or set disabled = 1 in
$SPLUNK_HOME\etc\apps\windows\local\inputs.conf

or

disabled = [1|0] Enable (0) or disable (1) this input.

meaning disable = [1|0] is the correct way to enable or disable the inputs.

cheers

Communicator

Thanks very MuS. That clarified it for me.