Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

edit inputs.conf

rashidmirza
New Member
‎10-18-2011 01:22 AM

I have a issue with picking up the keyword from a tail of a text file. Reading through the documention found that there is a suggestion to add 'followTail = 1' to the inputs.conf file.
Now ( i hope i am right) the input.conf that i need to edit is:
C:\Program Files\Splunk\etc\apps\SplunkLightForwarder\default

unfortunately, this file cannot be edited or saved, as system complains that 'access is denied'.
Then i stopped the splunkd and splunkweb, services, and put them as manual rather than automatic, and restarted the machine. Verified that the services mentioned were not running, but still there seems to be a lock on the file.
I am editing the correct inputs.conf file?
How can i successfully edit the file and add the changes?

Tags (2)
0 Karma
Reply

rashidmirza
New Member
‎10-18-2011 04:31 AM

well, i have added the inputs.conf file to the folder that was suggested.
I am now struggling with what condition to put for the alerts. Basically the following are at disposal:
1)always
2)if number of events
3)if number of hosts
4)if number of sources
5)if custom condition is met

need to know which one to define, so that the alert is sent out the moment the keyword is there in the new text that was written to in the dynamic text file.

Also i have set the start time as 'rt-60s' and finish time as 'rt'.

0 Karma
Reply

Ayn
Legend
‎10-18-2011 04:42 AM

That is another question, and as such you should post it separately.

0 Karma
Reply

Ayn
Legend
‎10-18-2011 02:00 AM

You need to check the file permissions in Windows to determine why you are getting an access denied when trying to edit that file.

That said, you shouldn't be editing the inputs.conf file in "default". Best practice for all your own modifications is to create an inputs.conf in "local" instead (so full path would be "C:\Program Files\Splunk\etc\apps\SplunkLightForwarder\local\inputs.conf"). Any settings in this file will override the ones in "default".

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎10-18-2011 01:56 AM

You should create an inputs.conf file in the "local" directory of the target app(SplunkLightForwarder) and make your changes there.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...