Candidate bundles are created every replication_period_sec by: 1.Iterating through $SPLUNK_HOME/etc 2.Checking each item against the blacklist 3.Checking each item against the whitelist 4.No match? Drop it. Candidate bundle is compared to the existing bundle and distributed if necessary, MD5 of candidate and previous bundle is compared Hope the above helps! Cheers. ... View more

yes.. So first deployer stags the configuration bundle in a separate location on it's file system- $SPLUNK_HOME/var/run/splunk/deploy and then pushes the app directories to each cluster member...and then each cluster member applies app tarball locally . yes that's deployment of app. ... View more

Hi danman06, if you're receiving _internal logs you've correctly configured outputs.conf. To take Windows, I suggest to use the Splunk_TA_Windows so that you can download from Splunkbase ( https://splunkbase.splunk.com/app/742/ ). You have to: copy this TA on your Universal Forwarder in $SPLUNK_HOME\splunkuniversalforwarder\etc\apps; then copy the default\inputs.conf file in local\inputs.conf; modify the local\inputs.conf file enabling WinEventLog:Security stanza changing disabled=1 in disabled=0; restart Splunk on Forwarder. At http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows , you can find the documentation to install and configure Splunk_TA_Windows. In this way you're sure to correctly configure your Windows inputs and you're ready for the next step: deploy this TA in other Forwarder using the Deployment Server, but this is another thing. Bye. Giuseppe ... View more

how to avoid using user:pass if possible ? ... View more