Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Use same input stanza across multiple apps

bkwoka
Explorer
‎01-08-2019 12:03 PM

I am looking to use multiple [WinEventLog://Security] inputs. For example I would like one inputs.conf to be capturing event 6278 in one app and capturing 4724, 4722, 4725 in a separate app. The problem is that Splunk is only using the last input stanza and so it seems to be impossible to have multiple apps with the [WinEventLog://Security] stanza even though they capture different events, have different sourcetypes and send to different indexes.

0 Karma
Reply

deepashri_123
Motivator
‎01-08-2019 11:50 PM

Hey@bkwoka,

The input is not app specific , the data can be seen across all apps. You can restrict the data to be searched on user level. You can restrict the eventcodes/apps to be searched while creating the roles.
Refer this link:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Security/Addandeditroles

Let me know if this helps!!

0 Karma
Reply

mikemizener
Explorer
‎01-08-2019 02:44 PM

Hi @bkwoka .

Is the end result to capture specific EventCodes? EventCodes can be included in whitelists/blacklists:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/MonitorWindowseventlogdata#Create_advanced_f...

0 Karma
Reply

Vijeta
Influencer
‎01-08-2019 01:12 PM

You can add your stanza to inputs.conf under etc/apps//local.
That way you will have 2 different inputs.conf with same stanza name under different apps.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-08-2019 02:06 PM

Splunk merges the settings from conf files by stanza name. That means you can't have the same stanza in different apps do different things. The settings from the apps will be combined, with the app first in alphabetical order winning if more than one app tries to set the same attribute.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Vijeta
Influencer
‎01-08-2019 02:18 PM

I haven’t tried though but thought naming same stanza in different app folders would work . Thanks for sharing !

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...