Getting Data In

Whats causes "Cannot create another input for the event log "Application". One already exists"?

richardblyth
New Member

I have 2 remote locations with multiple PCs in both places.
I have installed the forwarder on all devices (Windows PCs). I am collecting event logs (Application and System) from 1 of those locations and I am trying to configure Splunk to also collect event logs from the other, but am obviously getting it wrong somewhere. When I try to configure this in the Add Data menu, I get this error when I try and submit it:

Cannot create another input for the event log "Application". One already exists.

Do I have to configure every store using a different port number or something?

Bit confused so any help appreciated.

Thanks

0 Karma
1 Solution

lguinn2
Legend

No, you do not need to use a different port number. It's probably less confusing if you don't.

You need to look at your current inputs. There is one that already exists for the Application event log. It might be disabled, but it does exist. (That's why you are getting the error message.) Perhaps all you need to do is to turn it on.

When you go to Settings -> Data Inputs, you should see Local Event Logs. If you click on the name, it will show you the inputs that have already been set up.

View solution in original post

lguinn2
Legend

No, you do not need to use a different port number. It's probably less confusing if you don't.

You need to look at your current inputs. There is one that already exists for the Application event log. It might be disabled, but it does exist. (That's why you are getting the error message.) Perhaps all you need to do is to turn it on.

When you go to Settings -> Data Inputs, you should see Local Event Logs. If you click on the name, it will show you the inputs that have already been set up.

richardblyth
New Member

Thanks for the guidance,

I do already have an input setup for the application event log as I am already collecting them from pcs in my first location. I now want to collect them from my second location.

In this instance how would I go about setting up collecting the same event logs from two (or more) different locations?

0 Karma

lguinn2
Legend

Are you using remote event log collection? In that case, you will need to update the existing input and add the additional servers to the list of remote servers.

However, be aware that Microsoft did not design remote event log collection to scale out to many machines. It is meant to be a simple collection mechanism for small environments. Trying to collect from many servers will bog down - I can't tell you exactly at what point.

If you put a forwarder on each machine and collect the event logs locally, it will be much more efficient and flexible. You can use Forwarder Management to make it easier: Set up a machine to be the deployment server (if you only have one indexer, you could use that machine as the deployment server). Install a forwarder on each machine, but don't configure the inputs. Set each forwarder to be a client of the deployment server. On the deployment server, setup the inputs that you want and have Splunk collect those inputs from all the machines.
You will probably want to read up on Forwarder Management before you do this. While the "Forwarding Data" and "Getting Data In" manuals are useful, Forwarder Management is actually described in Updating Splunk Enterprise Instances. Go figure...

0 Karma

kbrown_splunk
Splunk Employee
Splunk Employee

Where are you trying to create the new input?

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...