HI Adonio, yeah i am the same guy who asked that question. Pls help me to understand this & below query is irrespective of it were a Windows system or a Unix/linux system. I am citing a Windows deployment here.
1) In a Windows system with UF installed, we typically configure "$SPLUNKHOME\etc\apps\SplunkUniversalForwarder\local\inputs.conf " to forward data to Indexer. Assume that i have an [admon] or a [WinEventLog://Security] inputs defined here . Once done, I am able to view these events using search queries via the Search & Reporting App in the Search head. So far so good.
2) Now, When we have a TA for Windows or TA for Active Directory on the same host with UF , we would typically configure input stanzas in $SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local\inputs.conf . Assume i have the same "[admon] or a [WinEventLog://Security]" inputs defined here as well
Does the input.conf of TA then overrides or ignores the input stanzas that were defined in the UF inputs.conf earlier & the system only forwards the events as per TA inputs.conf to indexer ? OR is that when we have TA installed, there is no need to configure the UF inputs.conf at all ?
... View more