Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Whats causes "Cannot create another input for the event log "Application". One already exists"?

richardblyth
New Member
‎08-09-2016 09:28 AM

I have 2 remote locations with multiple PCs in both places.
I have installed the forwarder on all devices (Windows PCs). I am collecting event logs (Application and System) from 1 of those locations and I am trying to configure Splunk to also collect event logs from the other, but am obviously getting it wrong somewhere. When I try to configure this in the Add Data menu, I get this error when I try and submit it:

Cannot create another input for the event log "Application". One already exists.

Do I have to configure every store using a different port number or something?

Bit confused so any help appreciated.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-09-2016 01:29 PM

No, you do not need to use a different port number. It's probably less confusing if you don't.

You need to look at your current inputs. There is one that already exists for the Application event log. It might be disabled, but it does exist. (That's why you are getting the error message.) Perhaps all you need to do is to turn it on.

When you go to Settings -> Data Inputs, you should see Local Event Logs. If you click on the name, it will show you the inputs that have already been set up.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-09-2016 01:29 PM

No, you do not need to use a different port number. It's probably less confusing if you don't.

You need to look at your current inputs. There is one that already exists for the Application event log. It might be disabled, but it does exist. (That's why you are getting the error message.) Perhaps all you need to do is to turn it on.

When you go to Settings -> Data Inputs, you should see Local Event Logs. If you click on the name, it will show you the inputs that have already been set up.

Reply
Solved! Jump to solution

richardblyth
New Member
‎08-10-2016 01:16 AM

Thanks for the guidance,

I do already have an input setup for the application event log as I am already collecting them from pcs in my first location. I now want to collect them from my second location.

In this instance how would I go about setting up collecting the same event logs from two (or more) different locations?

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎08-10-2016 10:02 AM

Are you using remote event log collection? In that case, you will need to update the existing input and add the additional servers to the list of remote servers.

However, be aware that Microsoft did not design remote event log collection to scale out to many machines. It is meant to be a simple collection mechanism for small environments. Trying to collect from many servers will bog down - I can't tell you exactly at what point.

If you put a forwarder on each machine and collect the event logs locally, it will be much more efficient and flexible. You can use Forwarder Management to make it easier: Set up a machine to be the deployment server (if you only have one indexer, you could use that machine as the deployment server). Install a forwarder on each machine, but don't configure the inputs. Set each forwarder to be a client of the deployment server. On the deployment server, setup the inputs that you want and have Splunk collect those inputs from all the machines.
You will probably want to read up on Forwarder Management before you do this. While the "Forwarding Data" and "Getting Data In" manuals are useful, Forwarder Management is actually described in Updating Splunk Enterprise Instances. Go figure...

0 Karma
Reply
Solved! Jump to solution

kbrown_splunk
Splunk Employee
Splunk Employee
‎08-09-2016 11:55 AM

Where are you trying to create the new input?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...