Getting Data In

uf install didn't create inputs.conf

a212830
Champion

Hi,

I installed a UF on a windows server, and asked it to monitor Forwarding Events, but I don't see anything create in inputs.conf. Is it stored anywhere?

Tags (1)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

What are "forwarding events" , is it a WinEventLog channel ?

inputs.conf can be in many locations.

  • $SPLUNK_HOME/etc/system/local
  • $SPLUNK_HOME/etc/apps/search/local
  • $SPLUNK_HOME/etc/apps/MSI-created/local
  • $SPLUNK_HOME/etc/apps//local
  • etc...

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @wildbird,

Great  😊 

"splunk apply shcluster-bundle" command is for Deployer to push the apps from $SPLUNK_HOME/etc/shcluster/apps to Search Head Cluster members.  

https://docs.splunk.com/Documentation/Splunk/8.1.3/DistSearch/PropagateSHCconfigurationchanges 

"splunk reload deploy-server" command is for Deployment Server to update Deployment server apps/serverclass bundles hashes on $SPLUNK_HOME/etc/deployment-apps folder. Deployment clients like Universal Forwarders will get the new apps on their next requests.

https://docs.splunk.com/Documentation/Splunk/8.1.3/Updating/Updateconfigurations 

Sometimes it is confusing since both commands is related to Deploy 😀

If this reply helps you an upvote is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hİ @wildbird,

splunk apply shcluster-bundle  --target https://SH:8089 --answer-yes

Ths command is not for deployment server, you should use below instead;

splunk reload deploy-server

 

If this reply helps you an upvote is appreciated.

wildbird
Explorer

Hi @scelikok 

it's solved my issue!

Thank you very much!

can you please help me understand what I did wrong?

when do I use: Splunk apply shcluster-bundle and when to use splunk reload deploy-server?

 

0 Karma

wildbird
Explorer

I have a similar issue, I have created an app  distributed it to my windows server2016 and only the app.conf appears on the server after deployment 

steps I did:

  1. created an app with inputs.conf file  in my deployment server (/opt/splunk/etc/deployment-apps/my_app/local/inputs.conf) 
  2. created a relevant server class
  3. Attached my app to the server class
  4. Made sure that my server is in the include list of the sever class.
  5. splunk apply shcluster-bundle  --target https://SH:8089 --answer-yes.
  6. RDP to server - the directory been created but only app.conf
  7. I have tried to troubleshoot by deleting the local copy of the app on the server and disabled any security policy on that server and rerun step 5 - with the same result.

please advise

 

0 Karma

yannK
Splunk Employee
Splunk Employee

What are "forwarding events" , is it a WinEventLog channel ?

inputs.conf can be in many locations.

  • $SPLUNK_HOME/etc/system/local
  • $SPLUNK_HOME/etc/apps/search/local
  • $SPLUNK_HOME/etc/apps/MSI-created/local
  • $SPLUNK_HOME/etc/apps//local
  • etc...

a212830
Champion

Just found it - MSI.... Thanks.

0 Karma

a212830
Champion

When you install the forwarder, the gui asks if you want to monitor certain files, and that's one of them.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...