Have a myriad of webservers in a webfarm where I need to blacklist certain eventIDs/Types (from time to time) to preserve license usage and minimize "clutter" in searches.. It would be very time consuming to update each forwarder individually. (thought of using DFS, but that will change EVERYTHING)
Where I am at now.. Already defined a server class.. Have forwarders inside aforementioned webfarm pointed to deployment server..
Question is.. How can I -only- update the "blacklist stanza" and not host value? Need to keep the host uniquely specified for searching purposes..
My inputs.conf file looks something like this. Again, just want to update the blacklist=XXXX value and leave host = alone?
[default]
host = Server007
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://Security]
disabled = true
[WinEventLog://System]
disabled = true
[WinEventLog:Application]
disabled = false
blacklist = EventCode="XXXX" Message="Object Type:\s+(?!groupPolicyContainer)"
Thanks in advance for help with this
Put your host information in a different inputs.conf
file from the rest (like the etc/system/local/inputs.conf
file). Use a separate app with a different inputs.conf
file for the other information. On the deployment server you have the deployment-apps
folder/directory to put deployed apps. Make a new app there that will be deployed to your UF's and under the app's local folder (assuming you configure your serverclass.conf
file properly), but the inputs.conf
file there will have the other information. That will allow the deployed information to remain separate from the system-specific configure information. On your UF, the inputs.conf
file would end up in a directory like etc/apps/MYCONFIGAPP/local/inputs.conf
, which will be read in along with the etc/system/local/inputs.conf
file.
Put your host information in a different inputs.conf
file from the rest (like the etc/system/local/inputs.conf
file). Use a separate app with a different inputs.conf
file for the other information. On the deployment server you have the deployment-apps
folder/directory to put deployed apps. Make a new app there that will be deployed to your UF's and under the app's local folder (assuming you configure your serverclass.conf
file properly), but the inputs.conf
file there will have the other information. That will allow the deployed information to remain separate from the system-specific configure information. On your UF, the inputs.conf
file would end up in a directory like etc/apps/MYCONFIGAPP/local/inputs.conf
, which will be read in along with the etc/system/local/inputs.conf
file.
Thank you sir!!! only issue I am seeing now is, instead of etc/apps/MYCONFIGAPP/local/inputs.conf
it is showing up in etc/apps/MYCONFIGAPP/inputs.conf
.. would the conf file still be read?
Thanks again!
I don't know if it would be read or not, but I think not (I could be wrong). If it is in a local
directory, then it should be read.
Understood.. Re-did configuration so that it deploys to the /local directory to be consistent.
Thanks again for your help with this.