Format of configuration files

steveirogers · ‎03-01-2012

Which of the following is the preferred syntax for setting values in configuration files?
disabled = [true|false] or disabled = [0|1]

The documentation for version 4.3 refers to "true|false". However, we are deploying Windows Lightweight Forwarders using the GUI and the command line and in both cases, the the generated "inputs.conf" file contains diabled = [0 | 1].

If we try to use disabled = [true | false], the inputs.conf file loses all the values as shown below:

[WinEventLog:Application]

[WinEventLog:ForwardedEvents]

[WinEventLog:HardwareEvents]

[WinEventLog:Internet Explorer]

[WinEventLog:Security]

[WinEventLog:Setup]

[WinEventLog:System]

MuS · ‎03-02-2012

Hi steveirogers

the docs state the following:

The Security, Application, and System event log inputs are enabled by 
default.  To disable an input type, comment it out or set disabled = 1 in
$SPLUNK_HOME\etc\apps\windows\local\inputs.conf

or

disabled = [1|0] Enable (0) or disable (1) this input.

meaning disable = [1|0] is the correct way to enable or disable the inputs.

cheers

steveirogers · ‎03-02-2012

Thanks very MuS. That clarified it for me.

Format of configuration files

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!