Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Configuration of UF on Windows server- Confusion over inputs and outputs configuration

dujas
Explorer
‎05-26-2022 10:28 AM

Hi All,

I am new to the UF on Windows and here is the deployment in my lab:

1 Splunk Enterprise instance running on Centos8

1 UF running on Windows pointing to the instance above

For now, I am able to retrieve the events on seach bar like "host="DESKTOP-JQJVH8A" source="WinEventLog:Security"".

What I am confused is about the configuration file:

outputs.conf: D:\SplunkUniversalForwarder\etc\system\local

inputs.conf: D:\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local

Why is the inputs.conf not in the same directory as outputs.conf, is this owning to the installation?

Say I would like to add some more stanzas in the inputs.conf, do I need to create a new inputs.conf in etc\system\local or modify the existing one in etc\apps\SplunkUniversalForwarder\local?

Thanks.

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-27-2022 01:32 AM

Splunk builds a consolidated configuration based on various files it has in various directories in its etc/ directory. There is a precedence of files when the settings are applied to the resulting configurations.

https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Wheretofindtheconfigurationfiles

This mechanism lets you deploy a configuration in a modularized way, so you can - for example - distribute an app with a disabled input to all your forwarders and then only overwrite one setting on one forwarder which will effectively enable the input.

EDIT: So the question where you _should_ put your file is not a question which has a one good-for-all answer. It's a question which is not a technical one as much as a matter of convention that you follow in your infrastructure and manageability.

On a manually managed forwarder, it's probably convenient to overwrite some app's default settings in this app's local/ folder. So for windows inputs I'd probably create etc/TA_windows/local/inputs.conf file which will overwrite selected settings of the default windows inputs.

But If I have a huge number of centrally-managed forwarders, I'd rather create a completely separate app with this file which would allow me to simply enable or disable those inputs just by deploying this app or not over a whole class of forwarders.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-26-2022 11:54 PM

Hi @dujas,

as @SinghK hinted follow the instructions at the link he described.

Anyway, inputs.conf and outputs.conf are always on:

  • $SPLUNK_HOME\etc\system\default
  • $SPLUNK_HOME\etc\system\local
  • $SPLUNK_HOME\etc\apps\<your_custom_app>\default
  • $SPLUNK_HOME\etc\apps\<your_custom_app>\local

SplunkUniversalForwarder is an internal App that cannot be used and usually you don't find any App or Add-On in this folder.

The question is: how do you configured inputs.conf:

  • manually editing inputs.conf file,
  • by CLI,
  • by Deployment Server

?

In the first case, move it into $SPLUNK_HOME\etc\system\local.

I don't think that you used CLI because CLI put inputs.conf always in $SPLUNK_HOME\etc\system\local.

In the third case, there's an error in DS configuration because custom conf files does'n be located there.

My hint is to put all conf files (also outputs.conf and inputs.conf in a dedicated app (called TA Technology Add-On) and never in $SPLUNK_HOME\etc\system\local.

You can find many answers about this in this Community and documentation at https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/Usingforwardingagents or at https://www.splunk.com/en_us/resources/videos/getting-data-in-with-forwarders.html

Ciao.

Giuseppe

0 Karma
Reply

SinghK
Builder
‎05-26-2022 11:09 AM

install this addon in UF and create your inputs by copying inputs.conf to local directory and changing 

 

https://splunkbase.splunk.com/app/742/

disabled = 0 

you will have some predefined inputs  which you can use from inputs.conf just enable them.

0 Karma
Reply

SinghK
Builder
‎05-26-2022 11:13 AM

try and read documentation for windows addon. Should be on the same link

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...