Getting Data In
Highlighted

edit inputs.conf

New Member

I have a issue with picking up the keyword from a tail of a text file. Reading through the documention found that there is a suggestion to add 'followTail = 1' to the inputs.conf file.
Now ( i hope i am right) the input.conf that i need to edit is:
C:\Program Files\Splunk\etc\apps\SplunkLightForwarder\default

unfortunately, this file cannot be edited or saved, as system complains that 'access is denied'.
Then i stopped the splunkd and splunkweb, services, and put them as manual rather than automatic, and restarted the machine. Verified that the services mentioned were not running, but still there seems to be a lock on the file.
I am editing the correct inputs.conf file?
How can i successfully edit the file and add the changes?

Tags (2)
0 Karma
Highlighted

Re: edit inputs.conf

Ultra Champion

You should create an inputs.conf file in the "local" directory of the target app(SplunkLightForwarder) and make your changes there.

0 Karma
Highlighted

Re: edit inputs.conf

Legend

You need to check the file permissions in Windows to determine why you are getting an access denied when trying to edit that file.

That said, you shouldn't be editing the inputs.conf file in "default". Best practice for all your own modifications is to create an inputs.conf in "local" instead (so full path would be "C:\Program Files\Splunk\etc\apps\SplunkLightForwarder\local\inputs.conf"). Any settings in this file will override the ones in "default".

0 Karma
Highlighted

Re: edit inputs.conf

New Member

well, i have added the inputs.conf file to the folder that was suggested.
I am now struggling with what condition to put for the alerts. Basically the following are at disposal:
1)always
2)if number of events
3)if number of hosts
4)if number of sources
5)if custom condition is met

need to know which one to define, so that the alert is sent out the moment the keyword is there in the new text that was written to in the dynamic text file.

Also i have set the start time as 'rt-60s' and finish time as 'rt'.

0 Karma
Highlighted

Re: edit inputs.conf

Legend

That is another question, and as such you should post it separately.

0 Karma