I am looking to use multiple [WinEventLog://Security] inputs. For example I would like one inputs.conf to be capturing event 6278 in one app and capturing 4724, 4722, 4725 in a separate app. The problem is that Splunk is only using the last input stanza and so it seems to be impossible to have multiple apps with the [WinEventLog://Security] stanza even though they capture different events, have different sourcetypes and send to different indexes.
Hey@bkwoka,
The input is not app specific , the data can be seen across all apps. You can restrict the data to be searched on user level. You can restrict the eventcodes/apps to be searched while creating the roles.
Refer this link:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Security/Addandeditroles
Let me know if this helps!!
Hi @bkwoka .
Is the end result to capture specific EventCodes? EventCodes can be included in whitelists/blacklists:
You can add your stanza to inputs.conf under etc/apps//local.
That way you will have 2 different inputs.conf with same stanza name under different apps.
Splunk merges the settings from conf files by stanza name. That means you can't have the same stanza in different apps do different things. The settings from the apps will be combined, with the app first in alphabetical order winning if more than one app tries to set the same attribute.
I haven’t tried though but thought naming same stanza in different app folders would work . Thanks for sharing !