Generally, you create an app and put inputs.conf there, like this: $SPLUNK_HOME/etc/apps/YourAppNameHere/default/inputs.conf . Yes, it is that easy. Do not get into the HORRIBLE habit of using the GUI to create inputs because then they will be placed in various places and also in the local (instead of the correct default ) directory. Also, you should be using a Deployment Serer to deploy these apps to your forwarders. In that case, put your app in the deployment-apps directory here: $SPLUNK_HOME/etc/deployment-apps/YourAppNameHere/default/inputs.conf . Then have your forwarders pull it in as Deployment Clients and it will end up in the apps directory on the client.
... View more