Which of the following is the preferred syntax for setting values in configuration files?
disabled = [true|false] or disabled = [0|1]
The documentation for version 4.3 refers to "true|false". However, we are deploying Windows Lightweight Forwarders using the GUI and the command line and in both cases, the the generated "inputs.conf" file contains diabled = [0 | 1].
If we try to use disabled = [true | false], the inputs.conf file loses all the values as shown below:
[WinEventLog:Application]
[WinEventLog:ForwardedEvents]
[WinEventLog:HardwareEvents]
[WinEventLog:Internet Explorer]
[WinEventLog:Security]
[WinEventLog:Setup]
[WinEventLog:System]
Hi steveirogers
the docs state the following:
The Security, Application, and System event log inputs are enabled by
default. To disable an input type, comment it out or set disabled = 1 in
$SPLUNK_HOME\etc\apps\windows\local\inputs.conf
or
disabled = [1|0] Enable (0) or disable (1) this input.
meaning disable = [1|0]
is the correct way to enable or disable the inputs.
cheers
Thanks very MuS. That clarified it for me.