Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Blacklisting path of inputs.conf for Local Test

AL3Z
Builder
‎11-20-2023 04:22 PM

Hello,

I'm aiming to test event blacklists on my host system locally, but I'm uncertain about the correct location within the inputs.conf file to place these blacklists. Would it be in:

  1. C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
  2. C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\local\inputs.conf

    Thanks...
Labels (1)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎11-20-2023 05:37 PM

Hi @AL3Z 

Both locations are right. 

the first one ... the \etc\system\local\inputs.conf is the default inputs.conf file path. Generally if you dont have different apps, you can use this file alone and specify all files for monitoring, whitelisting and blacklistings. 

if you have lots of things for monitoring, it will be better to group them as "apps" and then have their config files in their particular folders. so troubleshooting will become easy. 

 

then understanding the file precedence

http://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Wheretofindtheconfigurationfiles

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

AL3Z
Builder
‎11-20-2023 10:45 PM

@inventsekar , I believe this is the cause of issue,

from the below snapshot  Creator_Process_Name                                  New_Process_Name

C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exeC:\Windows\System32\cmd.exe

 

When I excluded the creator processname tanium its newprocess name cmd.exe is also excluded.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...