Getting Data In

How to troubleshoot why inputs.conf from a deployed app is not properly applied to a Universal Forwarder (Win7)?

jacortijo
Explorer

Hi,

At the moment I am testing Splunk at work. So far, I only have a single Splunk Enterprise instance (acting as deployment server) and a Win7 workstation.
I created a simple app with the purpose of catching EMET events. Its inputs.conf file only contains the following lines:

[WinEventLog://Application] 
disabled = 0 
whitelist= SourceName="EMET" EventCode="(^1$|^2$|^11$|^50$)"
[WinEventLog://Security] 
disabled = 1
[WinEventLog://System] 
disabled = 1

I created the app in the server, created the server class for Windows 7 workstations and assigned the app to that server class.
After restarting both Splunk server and the client, the app files are copied to the client, but it doesn't seem to filter anything.

In order to to do some troubleshouting, I run in the client the following debug command:

splunk cmd btool inputs list --debug

and I can see in the output that the file was partially parsed... only one line appears to be taken... the two lines disabled =1 were omitted.

Any idea what can be happening? Any tip I could follow?

Many thanks.
Jose

0YAoNnmRmKDg
Path Finder

check

the powershell execution policy on the w7 machine
is the deployment server running windows? if show check file permissions
try another simple inputs.conf to monitor a file on the desktop (or similar) to check the deployment and client funtionality

search index=_internal error host=myw7machine` to check for app deployment issues

as a start....

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!