Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can we monitor changes to inputs.conf file on our universal forwarders?

halbeisendv
Path Finder
‎08-23-2017 10:21 AM

Using Splunk Enterprise 6.2.2
The Problem: No data ingested.
We have several deployed APPs and would like to monitor changes to inputs.conf file on our universal forwarders. We have created a new app called confMonitor. It's input file is shown below.

[monitor://C:\Program Files\splunkuniversalforwarder\etc\apps\windows\local\inputs.conf]

disabled = false

sourcetype = syslog
index = testdata

There are three APPS on this universal forwarder; confMonitor, windows and sendtoindexer; only the later two function.

The splunkd.log file shows the following; no other messages exist about this APP or inputs file.
08-XX-20XX 10:23:56.277 -0400 INFO TailingProcessor - Adding watch on path: C:\Program Files\splunkuniversalforwarder\etc\apps\windows\local\inputs.conf.

sourcetype=syslog is a valid sourcetype; index=testdata is a valid index. We tried using crcSalt = ; we've tried csv as a sourcetype. We have stopped/started the universal forwarder in order to re-read the APPS on the universal forwarder. We do not use a deployment server. It looks like fschange from previous versions of Splunk may have worked, but I think it's been deprecated. Help is appreciated.

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-25-2017 08:46 AM

This is TOTALLY the wrong way to go about it because monitor is a tail -f thing and you need a fschange + diff thing. But there is an app for that: Configurations Analytics App for Splunk:

https://splunkbase.splunk.com/app/3295/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-25-2017 08:46 AM

This is TOTALLY the wrong way to go about it because monitor is a tail -f thing and you need a fschange + diff thing. But there is an app for that: Configurations Analytics App for Splunk:

https://splunkbase.splunk.com/app/3295/

0 Karma
Reply
Solved! Jump to solution

halbeisendv
Path Finder
‎08-25-2017 09:46 AM

Thank you for the information. Works great!

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-25-2017 10:17 AM

Let's get the author to comment and then you can UpVote his comment and get him some Thank-You Karma since you like his app. He is a GREAT GUY: Hey @landen99 where are you and what are you up to lately? We've got some app-love happening here!

0 Karma
Reply
Solved! Jump to solution

landen99
Motivator
‎08-25-2017 11:18 AM

I am in Houston getting ready for Hurricane Harvey to come in Friday through Monday. I would like to improve that app and even create a Cloud version, but I just can't find the time yet. All development help on the app is welcome. It still needs more extractions and dashboards.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...