Solved: Re: Deployment Server App Confusion

knutsod · ‎06-24-2014

I created a deployment app, lets call it windows. Inisde Windows\Local\ I have an input.conf and an outputs.conf file. My input.conf file looks like this:
[WinEventLog:Security] disabled = flase
When the app gets delived to the clients (Windows Universal Forwarders) the input.conf file in the deployed app looks like this:
[WinEventLog://Security] disabled = 1

What the heck is going on?

martin_mueller · ‎06-24-2014

You may have a typo, flase instead of false.

Nonetheless, the inputs.conf reference suggests 0 or 1 as values. http://docs.splunk.com/Documentation/Splunk/6.1.1/admin/inputsconf

View solution in original post

knutsod · ‎06-24-2014

False was spelled wrong, thanks to martin_mueller for pointing that out.

martin_mueller · ‎06-24-2014

You may have a typo, flase instead of false.

Nonetheless, the inputs.conf reference suggests 0 or 1 as values. http://docs.splunk.com/Documentation/Splunk/6.1.1/admin/inputsconf

martin_mueller · ‎06-24-2014

I'm sure you could build a Splunk alert that tells users to take a break if they've been Splunking along for more than X hours...

knutsod · ‎06-24-2014

That was it... I feel stupid. I think I need to step away from my desk and get some air. Thanks!

Deployment Server App Confusion

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes