Getting Data In

default '/opt/splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf'?

mitag
Contributor

tl;dr: what are the initial, default contents of /opt/splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf as it ships with "Splunk_TA_windows" - if it exists and not empty?

Reason I ask: it does not exist in my instance on the Deployment Server (only apps.conf in that folder); I am trying to figure out what it should be and how to fix what seems to be a broken "Splunk Add-on for Microsoft Windows" ("Splunk_TA_windows") in an inherited Splunk instance. The TA doesn't seem to be gathering any data, and produces errors such:

ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe"" splunk-winhostinfo - Found a invalid type named 'application' in stanza WinHostMon://Application, this will not be processed.

(i.e. the TA can't find the executables or scripts it needs.)

I suspect this is due to someone merging the TA's own inputs.conf into a single master inputs.conf (/opt/splunk/etc/deployment-apps/_server_app_Windows_Clients/local/inputs.conf on the Deployment Server) and then deleting it - which seems to have broken things.

Thanks!

P.S. Apologies for the formatting - for some reason "Insert/Edit code sample" buttons don't work for me.

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust
Most apps ship with an empty local directory, except for app.conf.
If your app is broken, re-install it.

The code button on this forum is non-intuitive. You must click the button with no text highlighted then enter your code into the pop-up box.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust
Most apps ship with an empty local directory, except for app.conf.
If your app is broken, re-install it.

The code button on this forum is non-intuitive. You must click the button with no text highlighted then enter your code into the pop-up box.
---
If this reply helps you, Karma would be appreciated.

mitag
Contributor

Thank you, this was the answer:

"Most apps ship with an empty local directory, except for app.conf."

It's also implied in "Download and configure the Splunk Add-on for Windows version 6.0.0 or later":

"Copy the inputs.conf file in the default subdirectory to the local directory.<"

P.S. The app may not be broken after all - just unconfigured. Likely the "_server_app_Windows_Clients" needs to be cleaned up - cleared of things that were originally part of the add-on. (Don't ask. That person has left the building.)

P.P.S. What's the accepted format for quotes? E.g. quoting documentation or snippets from others' posts?

0 Karma

richgalloway
SplunkTrust
SplunkTrust
P.P.S. What's the accepted format for quotes? E.g. quoting documentation or snippets from others' posts?

We don't have one, yet.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...