After making modifications to inputs.conf on a Win...

AllenZhang · ‎09-09-2015

Hi,

I need to make some modifications on an inputs.conf file on a Windows server which is installed with a Splunk Forwarder. After I make the change and save the file, and restart the SplunkForwarder service, the file is changed back and the changes I made are lost.

How can I save the changes?

twinspop · ‎09-09-2015

Is your forwarder talking to a deployment server? Which copy of inputs.conf are you changing?

If you're on a DS, the DS will override your changes as you describe. Best to talk to your Splunk admin. but if you want to get creative, save a fresh inputs.conf file at $splunkhome\etc\apps\MYCUSTOMAPP\local\inputs.conf and put your changes there. Change MYCUSTOMAPP whatever you want as long as it's unique. The DS will not touch apps it doesn't know about.

AllenZhang · ‎09-09-2015

The forwarder is talking to deployment server. I can see logs from it. I need to add a particular part of the Application and Services log, [WinEventLog:Microsoft-Windows-...] to the inputs.conf file.

The inputs.conf file is located here: C:\Program Files\SplunkUniversalForwarder\etc\system\local\

I did try stop the Splunkforwarder service first, then make the change, right after I start the service, the inputs.conf file was changed back, my change is lost.

After making modifications to inputs.conf on a Windows forwarder and restart the splunkforwarder service, why are my changes reversed?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases