Getting Data In

Configuration of UF on Windows server- Confusion over inputs and outputs configuration

dujas
Explorer

Hi All,

I am new to the UF on Windows and here is the deployment in my lab:

1 Splunk Enterprise instance running on Centos8

1 UF running on Windows pointing to the instance above

For now, I am able to retrieve the events on seach bar like "host="DESKTOP-JQJVH8A" source="WinEventLog:Security"".

What I am confused is about the configuration file:

outputs.conf: D:\SplunkUniversalForwarder\etc\system\local

inputs.conf: D:\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local

Why is the inputs.conf not in the same directory as outputs.conf, is this owning to the installation?

Say I would like to add some more stanzas in the inputs.conf, do I need to create a new inputs.conf in etc\system\local or modify the existing one in etc\apps\SplunkUniversalForwarder\local?

Thanks.

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Splunk builds a consolidated configuration based on various files it has in various directories in its etc/ directory. There is a precedence of files when the settings are applied to the resulting configurations.

https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Wheretofindtheconfigurationfiles

This mechanism lets you deploy a configuration in a modularized way, so you can - for example - distribute an app with a disabled input to all your forwarders and then only overwrite one setting on one forwarder which will effectively enable the input.

EDIT: So the question where you _should_ put your file is not a question which has a one good-for-all answer. It's a question which is not a technical one as much as a matter of convention that you follow in your infrastructure and manageability.

On a manually managed forwarder, it's probably convenient to overwrite some app's default settings in this app's local/ folder. So for windows inputs I'd probably create etc/TA_windows/local/inputs.conf file which will overwrite selected settings of the default windows inputs.

But If I have a huge number of centrally-managed forwarders, I'd rather create a completely separate app with this file which would allow me to simply enable or disable those inputs just by deploying this app or not over a whole class of forwarders.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dujas,

as @SinghK hinted follow the instructions at the link he described.

Anyway, inputs.conf and outputs.conf are always on:

  • $SPLUNK_HOME\etc\system\default
  • $SPLUNK_HOME\etc\system\local
  • $SPLUNK_HOME\etc\apps\<your_custom_app>\default
  • $SPLUNK_HOME\etc\apps\<your_custom_app>\local

SplunkUniversalForwarder is an internal App that cannot be used and usually you don't find any App or Add-On in this folder.

The question is: how do you configured inputs.conf:

  • manually editing inputs.conf file,
  • by CLI,
  • by Deployment Server

?

In the first case, move it into $SPLUNK_HOME\etc\system\local.

I don't think that you used CLI because CLI put inputs.conf always in $SPLUNK_HOME\etc\system\local.

In the third case, there's an error in DS configuration because custom conf files does'n be located there.

My hint is to put all conf files (also outputs.conf and inputs.conf in a dedicated app (called TA Technology Add-On) and never in $SPLUNK_HOME\etc\system\local.

You can find many answers about this in this Community and documentation at https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/Usingforwardingagents or at https://www.splunk.com/en_us/resources/videos/getting-data-in-with-forwarders.html

Ciao.

Giuseppe

0 Karma

SinghK
Builder

install this addon in UF and create your inputs by copying inputs.conf to local directory and changing 

 

https://splunkbase.splunk.com/app/742/

disabled = 0 

you will have some predefined inputs  which you can use from inputs.conf just enable them.

0 Karma

SinghK
Builder

try and read documentation for windows addon. Should be on the same link

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...