Solved: How to determine input source to filter WinEventLo...

rpfutrell · ‎02-10-2025

I'm trying to discover my source input.conf file that is responsible for pulling in the WinEventLogs. Our original implementation was back in 2019, and completed by another SME that has since moved on. When we implemented Splunk Cloud there was many other onsite components implemented, incuding an IDM server. Since moving to the Victoria Experience we no longer utilize an IDM server, but have the rest of the resources in placed as shown in my attached..

That said, I'm just trying to confirm where to filter my oswin logs from, but not convinced I have identified the source. While I found the inputs.conf file under Splunk_TA_windows (where I'd expect it to be) on the deployment server, I'm not confident it's responsible for this data input. This is because all my entries in the stanza specific for WinEventLog ... has a disable = 1. So while I want to believe, I cannot.

I've look over mulmore importantly where are my WinEventLogs truly being sourced from (which inputs.conf)? I've review my resources on the Deployment Server, DMZ Forwarder and Syslog UFW Server and not finding anything else that would be responsible, nor anything installed regarding Splunk_TA_windows, however I am indeed getting plenty of data, and trying to be more efficient with our ingest and looking to filter some of these type of logs out.

TIA

livehybrid · ‎02-10-2025

Hi @rpfutrell
If possible, run a btool ($SPLUNK_HOME/bin/splunk btool inputs list --debug) on your UF which should give you an output of all inputs configured on that host.

Have a look through the output to see if you can see any references to the logs you're looking for. By applying --debug to the command you will also see, on the left, which file/folder the configuration came from - this should help you track down the app responsible for these inputs and allow you to update accordingly.

If the app is controlled by your DS then you can head over to the DS ($SPLUNK_HOME/etc/deployment-apps/<appName> and update the configuration there.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

View solution in original post

rpfutrell · ‎02-14-2025

Thank you @livehybrid , after a long day of mapping related things out , I got the bug a and found myself manually reviewing all the directories I could. Of course directly after I submitted this I found the correct inputs.conf and realized I need to use btool. 😃

Thanks again for sharing!

livehybrid · ‎02-10-2025

Hi @rpfutrell
If possible, run a btool ($SPLUNK_HOME/bin/splunk btool inputs list --debug) on your UF which should give you an output of all inputs configured on that host.

Have a look through the output to see if you can see any references to the logs you're looking for. By applying --debug to the command you will also see, on the left, which file/folder the configuration came from - this should help you track down the app responsible for these inputs and allow you to update accordingly.

If the app is controlled by your DS then you can head over to the DS ($SPLUNK_HOME/etc/deployment-apps/<appName> and update the configuration there.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

How to determine input source to filter WinEventLog?

inputs.conf

Linux

Mac

Windows

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?