Solved: Re: Receiver inputs.conf Location Configuring Via ...

sjwone · ‎10-31-2013

Splunk 5.0.5
Windows 7

I setup a receiver through Splunk Web. I'd like to add compression, but I'm having trouble locating the inputs.conf containing the [splunktcp://9997] stanza. Does anyone know where this is located when configured through Splunk Web?

sowings · ‎10-31-2013

The answer depends upon where your user context was when you configured it. It might be the "launcher" app, or "search" or any other app. Basically, it's in the app you were in before you clicked on the "Manager" link.

Since you're in version 5.0.5, you can use the btool command to find the exact path of the file containing the setting. Versions prior to 5.0.5 (ish) only gave you the application name.

First, to set up btool on Windows, enter this in a command shell:

set SPLUNK_HOME=C:\program files\splunk (or wherever Splunk is installed)

Now you can run the program itself: %SPLUNK_HOME%\bin\btool inputs list splunktcp --debug

You'll get the base [splunktcp] stanza, but also the [splunktcp://9997] one. The --debug adds the full path to the file containing the setting in the leftmost position, so it should be easy to see where the file is located.

View solution in original post

sowings · ‎10-31-2013

The answer depends upon where your user context was when you configured it. It might be the "launcher" app, or "search" or any other app. Basically, it's in the app you were in before you clicked on the "Manager" link.

Since you're in version 5.0.5, you can use the btool command to find the exact path of the file containing the setting. Versions prior to 5.0.5 (ish) only gave you the application name.

First, to set up btool on Windows, enter this in a command shell:

set SPLUNK_HOME=C:\program files\splunk (or wherever Splunk is installed)

Now you can run the program itself: %SPLUNK_HOME%\bin\btool inputs list splunktcp --debug

You'll get the base [splunktcp] stanza, but also the [splunktcp://9997] one. The --debug adds the full path to the file containing the setting in the leftmost position, so it should be easy to see where the file is located.

sowings · ‎10-31-2013

Also, note that the URL bar gives you a hint about where you are at all times. The first part of the URL is your locale (en-US for me), followed by the context, then the application name (if applicable), and the view name. For example, in versions prior to 6, the main "Search" page is at: en-US/app/search/flashtimeline. When you click the Manager from this context, you're now at en-US/manager/search, so any new configs you create would be in the "search" app.

sowings · ‎10-31-2013

We don't like to configure items in system/local, because it becomes an itch that you can't scratch with the deployment server. I hardly ever do configuration via the UI, I'm always down in configuration files. Further, in a "production grade deployment", you're not likely to be configuring hosts by hand. Most of the deployments I'm working on are large enough to merit some config management tool, like the deployment server, or external, like puppet or chef.

That being said, I've worked with this for a while, so app containment just feels "natural" to me.

sjwone · ‎10-31-2013

What an excellent answer! Something I find concerning is the "randomness" on where the stanza is added. I expected it to be in etc/system/local/inputs.conf. I'm thinking in a production grade deployment, I should configure the receiver by updating this file manually and then restart splunk. Would you agree?

Receiver inputs.conf Location Configuring Via Web GUI

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!