Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- edit inputs.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
edit inputs.conf
I have a issue with picking up the keyword from a tail of a text file. Reading through the documention found that there is a suggestion to add 'followTail = 1' to the inputs.conf file.
Now ( i hope i am right) the input.conf that i need to edit is:
C:\Program Files\Splunk\etc\apps\SplunkLightForwarder\default
unfortunately, this file cannot be edited or saved, as system complains that 'access is denied'.
Then i stopped the splunkd and splunkweb, services, and put them as manual rather than automatic, and restarted the machine. Verified that the services mentioned were not running, but still there seems to be a lock on the file.
I am editing the correct inputs.conf file?
How can i successfully edit the file and add the changes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well, i have added the inputs.conf file to the folder that was suggested.
I am now struggling with what condition to put for the alerts. Basically the following are at disposal:
1)always
2)if number of events
3)if number of hosts
4)if number of sources
5)if custom condition is met
need to know which one to define, so that the alert is sent out the moment the keyword is there in the new text that was written to in the dynamic text file.
Also i have set the start time as 'rt-60s' and finish time as 'rt'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is another question, and as such you should post it separately.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to check the file permissions in Windows to determine why you are getting an access denied when trying to edit that file.
That said, you shouldn't be editing the inputs.conf file in "default". Best practice for all your own modifications is to create an inputs.conf in "local" instead (so full path would be "C:\Program Files\Splunk\etc\apps\SplunkLightForwarder\local\inputs.conf"). Any settings in this file will override the ones in "default".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should create an inputs.conf file in the "local" directory of the target app(SplunkLightForwarder) and make your changes there.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
