Getting Data In

Splunk Light: After creating a server class to collect Windows event logs from one server, why am I unable to modify it or create an additional server class?

motoxrdr21
Explorer

I'm evaluating Splunk Light for purchase and running in to some issues collecting Windows Event Logs from multiple servers.

I installed the Universal Forwarder on a few machines, then to test the setup, I configured a receiver, created a server class, and set it up to collect logs from the Windows App, Sec, & Sys logs which is working great. So I continued installing the forwarder on a number of other machines and that's where I ran in to an issue.

From looking through the UI and doing some Googling, it seems like Splunk Light isn't able to manage server classes, REALLY odd that you can create one and not modify it, but that would be absolutely fine if I had the ability to manage forwarder clients individually. However, it seems like that's not possible either:
I can't setup a forwarded data input without using a server class.
I can't add a new server to an existing server class.
I can't add multiple server classes with the same Windows Event Log inputs. When I try, I receive an error "Cannot create another input for the event log "Application", one already exists."

So how, are you supposed to collect forwarded Windows Event Logs from an additional server in Splunk Light?

1 Solution

ChrisG
Splunk Employee
Splunk Employee

There is a published known issue where you can create server classes in Splunk Light but not modify them. You can only disable or delete them. It's inconvenient, I agree. You would have to delete it and make a new one that includes all your servers.

View solution in original post

ChrisG
Splunk Employee
Splunk Employee

There is a published known issue where you can create server classes in Splunk Light but not modify them. You can only disable or delete them. It's inconvenient, I agree. You would have to delete it and make a new one that includes all your servers.

motoxrdr21
Explorer

Thanks for the quick response ChrisG,

So the behavior is a result of a known bug that should be fixed in a future release at which point I'll be able to modify server classes?

0 Karma

jmorgan_
Explorer

When you combine this with the fact that you can't delete data inputs in Splunk Light, it provides for a very poor new user experience.

0 Karma

dkoshe_splunk
Splunk Employee
Splunk Employee

Splunk Light in the current version does not allow editing server classses via UI (something that will be fixed in upcoming version), but you can always update/edit serverclass.conf file manually (and then restart Splunk Light for the changes to be effective)

Document here is also applicable to Splunk Light: http://docs.splunk.com/Documentation/Splunk/6.3.3/Updating/Definedeploymentclasses

You can always delete the inputs by going to Data inputs page

0 Karma

jmorgan_
Explorer

dkoshe, thank you for the information. I ended up finding the serverclass.conf file and handled it from there. Awkward to say the least. Glad you guys are adding a method of handling it via the UI!

There is a bug when deleting Data inputs, but that is for another thread. Thanks again.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

It should be, but I couldn't say anything substantive about when....

0 Karma

motoxrdr21
Explorer

That's fine, timelines can be fuzzy & bugs slip through testing in even the best software. Thanks Chris!

0 Karma

ucistudentlifei
New Member

Does anyone know how to delete them in Light?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...