Security

Receiver inputs.conf Location Configuring Via Web GUI

sjwone
Explorer

Splunk 5.0.5
Windows 7

I setup a receiver through Splunk Web. I'd like to add compression, but I'm having trouble locating the inputs.conf containing the [splunktcp://9997] stanza. Does anyone know where this is located when configured through Splunk Web?

Tags (2)
1 Solution

sowings
Splunk Employee
Splunk Employee

The answer depends upon where your user context was when you configured it. It might be the "launcher" app, or "search" or any other app. Basically, it's in the app you were in before you clicked on the "Manager" link.

Since you're in version 5.0.5, you can use the btool command to find the exact path of the file containing the setting. Versions prior to 5.0.5 (ish) only gave you the application name.

First, to set up btool on Windows, enter this in a command shell:

set SPLUNK_HOME=C:\program files\splunk (or wherever Splunk is installed)

Now you can run the program itself: %SPLUNK_HOME%\bin\btool inputs list splunktcp --debug

You'll get the base [splunktcp] stanza, but also the [splunktcp://9997] one. The --debug adds the full path to the file containing the setting in the leftmost position, so it should be easy to see where the file is located.

View solution in original post

sowings
Splunk Employee
Splunk Employee

The answer depends upon where your user context was when you configured it. It might be the "launcher" app, or "search" or any other app. Basically, it's in the app you were in before you clicked on the "Manager" link.

Since you're in version 5.0.5, you can use the btool command to find the exact path of the file containing the setting. Versions prior to 5.0.5 (ish) only gave you the application name.

First, to set up btool on Windows, enter this in a command shell:

set SPLUNK_HOME=C:\program files\splunk (or wherever Splunk is installed)

Now you can run the program itself: %SPLUNK_HOME%\bin\btool inputs list splunktcp --debug

You'll get the base [splunktcp] stanza, but also the [splunktcp://9997] one. The --debug adds the full path to the file containing the setting in the leftmost position, so it should be easy to see where the file is located.

sowings
Splunk Employee
Splunk Employee

Also, note that the URL bar gives you a hint about where you are at all times. The first part of the URL is your locale (en-US for me), followed by the context, then the application name (if applicable), and the view name. For example, in versions prior to 6, the main "Search" page is at: en-US/app/search/flashtimeline. When you click the Manager from this context, you're now at en-US/manager/search, so any new configs you create would be in the "search" app.

sowings
Splunk Employee
Splunk Employee

We don't like to configure items in system/local, because it becomes an itch that you can't scratch with the deployment server. I hardly ever do configuration via the UI, I'm always down in configuration files. Further, in a "production grade deployment", you're not likely to be configuring hosts by hand. Most of the deployments I'm working on are large enough to merit some config management tool, like the deployment server, or external, like puppet or chef.

That being said, I've worked with this for a while, so app containment just feels "natural" to me.

sjwone
Explorer

What an excellent answer! Something I find concerning is the "randomness" on where the stanza is added. I expected it to be in etc/system/local/inputs.conf. I'm thinking in a production grade deployment, I should configure the receiver by updating this file manually and then restart splunk. Would you agree?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...