All Apps and Add-ons

Splunk Add-on for Microsoft Windows: How to modify the source on data from Windows universal forwarder?

DFresh4130
Path Finder

I installed the universal forwarder on a couple Windows 2K3 servers a week ago. During the installation wizard I told it to monitor the IIS log directory. Data is coming in fine, but I'd like to tweak the settings a little for my searches. One thing I'd like to change is the source value the data has associated with it. It's currently defaulting to the log file name the entry came from. How can I go about changing this value to something static like the domain, www.example.com? There is no \etc\apps\search\local\inputs.conf at the moment. I see the below entry in the \etc\apps\Splunk_TA_windows\local\inputs.conf currently which I'm guessing was created when I used the installation wizard to specify the directory to monitor. Should I just edit this file or create the inputs.conf in the \apps\search\local directory like the documentation says?

[monitor://C:\WINDOWS\system32\LogFiles\W3SVC1]
disabled = false
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Do edit the file in Splunk_TA_windows. Splitting up the settings for one monitor stanza into two inputs.conf files will only cause confusion down the line.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Do edit the file in Splunk_TA_windows. Splitting up the settings for one monitor stanza into two inputs.conf files will only cause confusion down the line.

Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...