Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

uf install didn't create inputs.conf

a212830
Champion
‎05-13-2013 08:15 AM

Hi,

I installed a UF on a windows server, and asked it to monitor Forwarding Events, but I don't see anything create in inputs.conf. Is it stored anywhere?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎05-13-2013 08:25 AM

What are "forwarding events" , is it a WinEventLog channel ?

inputs.conf can be in many locations.

  • $SPLUNK_HOME/etc/system/local
  • $SPLUNK_HOME/etc/apps/search/local
  • $SPLUNK_HOME/etc/apps/MSI-created/local
  • $SPLUNK_HOME/etc/apps//local
  • etc...

View solution in original post

Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎04-06-2021 01:52 AM

Hi @wildbird,

Great  😊 

"splunk apply shcluster-bundle" command is for Deployer to push the apps from $SPLUNK_HOME/etc/shcluster/apps to Search Head Cluster members.  

https://docs.splunk.com/Documentation/Splunk/8.1.3/DistSearch/PropagateSHCconfigurationchanges 

"splunk reload deploy-server" command is for Deployment Server to update Deployment server apps/serverclass bundles hashes on $SPLUNK_HOME/etc/deployment-apps folder. Deployment clients like Universal Forwarders will get the new apps on their next requests.

https://docs.splunk.com/Documentation/Splunk/8.1.3/Updating/Updateconfigurations 

Sometimes it is confusing since both commands is related to Deploy 😀

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎04-05-2021 11:39 PM

Hİ @wildbird,

splunk apply shcluster-bundle  --target https://SH:8089 --answer-yes

Ths command is not for deployment server, you should use below instead;

splunk reload deploy-server

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

wildbird
Explorer
‎04-05-2021 11:47 PM

Hi @scelikok 

it's solved my issue!

Thank you very much!

can you please help me understand what I did wrong?

when do I use: Splunk apply shcluster-bundle and when to use splunk reload deploy-server?

 

0 Karma
Reply
Solved! Jump to solution

wildbird
Explorer
‎04-05-2021 11:22 PM

I have a similar issue, I have created an app  distributed it to my windows server2016 and only the app.conf appears on the server after deployment 

steps I did:

  1. created an app with inputs.conf file  in my deployment server (/opt/splunk/etc/deployment-apps/my_app/local/inputs.conf) 
  2. created a relevant server class
  3. Attached my app to the server class
  4. Made sure that my server is in the include list of the sever class.
  5. splunk apply shcluster-bundle  --target https://SH:8089 --answer-yes.
  6. RDP to server - the directory been created but only app.conf
  7. I have tried to troubleshoot by deleting the local copy of the app on the server and disabled any security policy on that server and rerun step 5 - with the same result.

please advise

 

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎05-13-2013 08:25 AM

What are "forwarding events" , is it a WinEventLog channel ?

inputs.conf can be in many locations.

  • $SPLUNK_HOME/etc/system/local
  • $SPLUNK_HOME/etc/apps/search/local
  • $SPLUNK_HOME/etc/apps/MSI-created/local
  • $SPLUNK_HOME/etc/apps//local
  • etc...
Reply
Solved! Jump to solution

a212830
Champion
‎05-13-2013 08:28 AM

Just found it - MSI.... Thanks.

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎05-13-2013 08:27 AM

When you install the forwarder, the gui asks if you want to monitor certain files, and that's one of them.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...