At the moment I am testing Splunk at work. So far, I only have a single Splunk Enterprise instance (acting as deployment server) and a Win7 workstation.
I created a simple app with the purpose of catching EMET events. Its inputs.conf file only contains the following lines:
I created the app in the server, created the server class for Windows 7 workstations and assigned the app to that server class.
After restarting both Splunk server and the client, the app files are copied to the client, but it doesn't seem to filter anything.
In order to to do some troubleshouting, I run in the client the following debug command:
splunk cmd btool inputs list --debug
and I can see in the output that the file was partially parsed... only one line appears to be taken... the two lines disabled =1 were omitted.
Any idea what can be happening? Any tip I could follow?
the powershell execution policy on the w7 machine
is the deployment server running windows? if show check file permissions
try another simple inputs.conf to monitor a file on the desktop (or similar) to check the deployment and client funtionality
search index=_internal error host=myw7machine` to check for app deployment issues