Hi everybody,
I'm trying to deploy 2 apps in an universal forwarder from a deployment server. The problem that I'm encountering is that when the deploy finished and restart the Splunk Universal Forwarder service the apps deployed doesn't work instead if I deploy only 1 app the app work and I recieve the logs.
My configuration is the following:
In my Universal Forwarder I have:
o) App1
o) App2
The input.conf file from App1 has this config:
[WinEventLog://ForwardedEvents]
index=index1
sourcetype=sourcetype1
whitelist= 4100,4104,4103
evt_resolve_ad_obj=1
renderXml=0
And the App2 has the same configuration but changing the events recieved:
[WinEventLog://ForwardedEvents]
index=index2
sourcetype=sourcetype2
blacklist= 4100,4104,4103
evt_resolve_ad_obj=1
renderXml=0
This apps works separately but together not. Exists any kind of limitless to use several apps in an unique universal forwarder.
... View more