Getting Data In

Input.conf on Deployment App

jonsantos
Engager

I created a deployment app (which distributes to Windows Universal Forwarders), from my Linux Deployment Server. Inside Windows\Local\ I have an inputs.conf file looks like this:

[WinEventLog://System]
blacklist = EventCode=xxxx

When the app gets delivered to the Windows Universal Forwarders, the input.conf file in the deployed app looks like this:

[WinEventLog://System]blacklist = EventCode=xxxx

The contents in the Inputs.conf is all in one line causing the blacklisting not to work. Any ideas on what I'm doing wrong?

Jon

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @jonsantos,

Windows notepad cannot show Linux line endings properly, that should not be a problem. Please try filter with quotes like below;

[WinEventLog://System]
blacklist = EventCode="xxxx"

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @jonsantos,

Windows notepad cannot show Linux line endings properly, that should not be a problem. Please try filter with quotes like below;

[WinEventLog://System]
blacklist = EventCode="xxxx"

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...