Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to update only the inputs.conf blacklist stanza on a universal forwarder with a deployment server?

joe_bayreaux
Explorer
‎03-12-2015 11:34 AM

Have a myriad of webservers in a webfarm where I need to blacklist certain eventIDs/Types (from time to time) to preserve license usage and minimize "clutter" in searches.. It would be very time consuming to update each forwarder individually. (thought of using DFS, but that will change EVERYTHING)

Where I am at now.. Already defined a server class.. Have forwarders inside aforementioned webfarm pointed to deployment server..

Question is.. How can I -only- update the "blacklist stanza" and not host value? Need to keep the host uniquely specified for searching purposes..

My inputs.conf file looks something like this. Again, just want to update the blacklist=XXXX value and leave host = alone?

[default]
host = Server007
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://Security]
disabled = true
[WinEventLog://System]
disabled = true
[WinEventLog:Application]
disabled = false
blacklist = EventCode="XXXX" Message="Object Type:\s+(?!groupPolicyContainer)"

Thanks in advance for help with this

Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎03-12-2015 12:16 PM

Put your host information in a different inputs.conf file from the rest (like the etc/system/local/inputs.conf file). Use a separate app with a different inputs.conf file for the other information. On the deployment server you have the deployment-apps folder/directory to put deployed apps. Make a new app there that will be deployed to your UF's and under the app's local folder (assuming you configure your serverclass.conf file properly), but the inputs.conf file there will have the other information. That will allow the deployed information to remain separate from the system-specific configure information. On your UF, the inputs.conf file would end up in a directory like etc/apps/MYCONFIGAPP/local/inputs.conf, which will be read in along with the etc/system/local/inputs.conf file.

View solution in original post

Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎03-12-2015 12:16 PM

Put your host information in a different inputs.conf file from the rest (like the etc/system/local/inputs.conf file). Use a separate app with a different inputs.conf file for the other information. On the deployment server you have the deployment-apps folder/directory to put deployed apps. Make a new app there that will be deployed to your UF's and under the app's local folder (assuming you configure your serverclass.conf file properly), but the inputs.conf file there will have the other information. That will allow the deployed information to remain separate from the system-specific configure information. On your UF, the inputs.conf file would end up in a directory like etc/apps/MYCONFIGAPP/local/inputs.conf, which will be read in along with the etc/system/local/inputs.conf file.

Reply
Solved! Jump to solution

joe_bayreaux
Explorer
‎03-16-2015 01:10 PM

Thank you sir!!! only issue I am seeing now is, instead of etc/apps/MYCONFIGAPP/local/inputs.conf

it is showing up in etc/apps/MYCONFIGAPP/inputs.conf.. would the conf file still be read?

Thanks again!

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎03-16-2015 03:57 PM

I don't know if it would be read or not, but I think not (I could be wrong). If it is in a local directory, then it should be read.

0 Karma
Reply
Solved! Jump to solution

joe_bayreaux
Explorer
‎03-17-2015 08:38 AM

Understood.. Re-did configuration so that it deploys to the /local directory to be consistent.

Thanks again for your help with this.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...