Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

interval in input.conf not followed, Windows add-on

mykol_j
Communicator
‎11-09-2020 09:02 AM

Windows add-on 8.0.0, Splunk 8.0.4.

No matter the interval settings in inputs.conf, they seem to run at random times. For example on one host alone, the "service" checker ran 9 times in one hour. The setting in the stanza is for once a day (86400). I've tried setting it other values -- nothing seems to matter.

Also happening on all other inputs (sourcetype=WinHostMon) that have an interval setting.

Disk, for example (also set interval = 86400) is running 2-16 times for host in one hour.

I've searched for this, and heard the descriptions of the scripts "taking a long time to run" yadda, yadda... but come on, not all of them...and these aren't scripts (and we have arguably over powered hardware running this). This is generating a *lot* of entries for our small test group of only 200.

Thoughts?

Thanks.

Mike

Labels (2)
Labels
0 Karma
Reply

SinghK
Builder
‎11-10-2020 12:36 AM

It all looks ok. Unless there is something that's doing an overide. can you try using btool to check if inputs are all correct.

0 Karma
Reply

mykol_j
Communicator
‎11-10-2020 08:21 AM

Great suggestion on using btool...

However, it confirmed that all is good. I'm focusing on [WinHostMon://Disk] for my test case.

I definitely have:

[WinHostMon://Disk]
interval = 86400
disabled = 0
type = Disk

And definitely confirmed my system is showing data for my Name="C:" at exactly 2 hour intervals... but once in a while only waits an hour in between. Go figure.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2020 10:25 AM

What are the inputs.conf settings for the respective inputs and where are they set?  If you use universal forwarders then the settings must be on the UFs.  Be sure to restart Splunk after changing inputs.conf settings.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mykol_j
Communicator
‎11-09-2020 11:40 AM

[WinHostMon://Disk]
interval = 86400
disabled = 0
type = Disk

...straight out-of-the-box -- (except that I enabled it and changed the interval). In these cases it's being handed out by a deployment server to UFs. Yes, I know the inputs.conf is being applied because other changes are reflected. There's only one app being applied. Yes, it's in local.

Yes, I know to restart/reload it...   😕

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...