Getting Data In

uf install didn't create inputs.conf

a212830
Champion

Hi,

I installed a UF on a windows server, and asked it to monitor Forwarding Events, but I don't see anything create in inputs.conf. Is it stored anywhere?

Tags (1)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

What are "forwarding events" , is it a WinEventLog channel ?

inputs.conf can be in many locations.

  • $SPLUNK_HOME/etc/system/local
  • $SPLUNK_HOME/etc/apps/search/local
  • $SPLUNK_HOME/etc/apps/MSI-created/local
  • $SPLUNK_HOME/etc/apps//local
  • etc...

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @wildbird,

Great  😊 

"splunk apply shcluster-bundle" command is for Deployer to push the apps from $SPLUNK_HOME/etc/shcluster/apps to Search Head Cluster members.  

https://docs.splunk.com/Documentation/Splunk/8.1.3/DistSearch/PropagateSHCconfigurationchanges 

"splunk reload deploy-server" command is for Deployment Server to update Deployment server apps/serverclass bundles hashes on $SPLUNK_HOME/etc/deployment-apps folder. Deployment clients like Universal Forwarders will get the new apps on their next requests.

https://docs.splunk.com/Documentation/Splunk/8.1.3/Updating/Updateconfigurations 

Sometimes it is confusing since both commands is related to Deploy 😀

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hİ @wildbird,

splunk apply shcluster-bundle  --target https://SH:8089 --answer-yes

Ths command is not for deployment server, you should use below instead;

splunk reload deploy-server

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

wildbird
Explorer

Hi @scelikok 

it's solved my issue!

Thank you very much!

can you please help me understand what I did wrong?

when do I use: Splunk apply shcluster-bundle and when to use splunk reload deploy-server?

 

0 Karma

wildbird
Explorer

I have a similar issue, I have created an app  distributed it to my windows server2016 and only the app.conf appears on the server after deployment 

steps I did:

  1. created an app with inputs.conf file  in my deployment server (/opt/splunk/etc/deployment-apps/my_app/local/inputs.conf) 
  2. created a relevant server class
  3. Attached my app to the server class
  4. Made sure that my server is in the include list of the sever class.
  5. splunk apply shcluster-bundle  --target https://SH:8089 --answer-yes.
  6. RDP to server - the directory been created but only app.conf
  7. I have tried to troubleshoot by deleting the local copy of the app on the server and disabled any security policy on that server and rerun step 5 - with the same result.

please advise

 

0 Karma

yannK
Splunk Employee
Splunk Employee

What are "forwarding events" , is it a WinEventLog channel ?

inputs.conf can be in many locations.

  • $SPLUNK_HOME/etc/system/local
  • $SPLUNK_HOME/etc/apps/search/local
  • $SPLUNK_HOME/etc/apps/MSI-created/local
  • $SPLUNK_HOME/etc/apps//local
  • etc...

a212830
Champion

Just found it - MSI.... Thanks.

0 Karma

a212830
Champion

When you install the forwarder, the gui asks if you want to monitor certain files, and that's one of them.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...