Solved: Splunk Light: After creating a server class to col...

motoxrdr21 · ‎11-10-2015

I'm evaluating Splunk Light for purchase and running in to some issues collecting Windows Event Logs from multiple servers.

I installed the Universal Forwarder on a few machines, then to test the setup, I configured a receiver, created a server class, and set it up to collect logs from the Windows App, Sec, & Sys logs which is working great. So I continued installing the forwarder on a number of other machines and that's where I ran in to an issue.

From looking through the UI and doing some Googling, it seems like Splunk Light isn't able to manage server classes, REALLY odd that you can create one and not modify it, but that would be absolutely fine if I had the ability to manage forwarder clients individually. However, it seems like that's not possible either:
I can't setup a forwarded data input without using a server class.
I can't add a new server to an existing server class.
I can't add multiple server classes with the same Windows Event Log inputs. When I try, I receive an error "Cannot create another input for the event log "Application", one already exists."

So how, are you supposed to collect forwarded Windows Event Logs from an additional server in Splunk Light?

ChrisG · ‎11-10-2015

There is a published known issue where you can create server classes in Splunk Light but not modify them. You can only disable or delete them. It's inconvenient, I agree. You would have to delete it and make a new one that includes all your servers.

View solution in original post

ChrisG · ‎11-10-2015

There is a published known issue where you can create server classes in Splunk Light but not modify them. You can only disable or delete them. It's inconvenient, I agree. You would have to delete it and make a new one that includes all your servers.

motoxrdr21 · ‎11-10-2015

Thanks for the quick response ChrisG,

So the behavior is a result of a known bug that should be fixed in a future release at which point I'll be able to modify server classes?

jmorgan_ · ‎03-15-2016

When you combine this with the fact that you can't delete data inputs in Splunk Light, it provides for a very poor new user experience.

dkoshe_splunk · ‎03-16-2016

Splunk Light in the current version does not allow editing server classses via UI (something that will be fixed in upcoming version), but you can always update/edit serverclass.conf file manually (and then restart Splunk Light for the changes to be effective)

Document here is also applicable to Splunk Light: http://docs.splunk.com/Documentation/Splunk/6.3.3/Updating/Definedeploymentclasses

You can always delete the inputs by going to Data inputs page

jmorgan_ · ‎03-18-2016

dkoshe, thank you for the information. I ended up finding the serverclass.conf file and handled it from there. Awkward to say the least. Glad you guys are adding a method of handling it via the UI!

There is a bug when deleting Data inputs, but that is for another thread. Thanks again.

ChrisG · ‎11-10-2015

It should be, but I couldn't say anything substantive about when....

motoxrdr21 · ‎11-10-2015

That's fine, timelines can be fuzzy & bugs slip through testing in even the best software. Thanks Chris!

ucistudentlifei · ‎11-30-2015

Does anyone know how to delete them in Light?

Splunk Light: After creating a server class to collect Windows event logs from one server, why am I unable to modify it or create an additional server class?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!