- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can we monitor changes to inputs.conf file on ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using Splunk Enterprise 6.2.2
The Problem: No data ingested.
We have several deployed APPs and would like to monitor changes to inputs.conf file on our universal forwarders. We have created a new app called confMonitor. It's input file is shown below.
[monitor://C:\Program Files\splunkuniversalforwarder\etc\apps\windows\local\inputs.conf]
disabled = false
sourcetype = syslog
index = testdata
There are three APPS on this universal forwarder; confMonitor, windows and sendtoindexer; only the later two function.
The splunkd.log file shows the following; no other messages exist about this APP or inputs file.
08-XX-20XX 10:23:56.277 -0400 INFO TailingProcessor - Adding watch on path: C:\Program Files\splunkuniversalforwarder\etc\apps\windows\local\inputs.conf.
sourcetype=syslog is a valid sourcetype; index=testdata is a valid index. We tried using crcSalt = ; we've tried csv as a sourcetype. We have stopped/started the universal forwarder in order to re-read the APPS on the universal forwarder. We do not use a deployment server. It looks like fschange from previous versions of Splunk may have worked, but I think it's been deprecated. Help is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is TOTALLY the wrong way to go about it because monitor is a tail -f thing and you need a fschange + diff thing. But there is an app for that: Configurations Analytics App for Splunk:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is TOTALLY the wrong way to go about it because monitor is a tail -f thing and you need a fschange + diff thing. But there is an app for that: Configurations Analytics App for Splunk:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the information. Works great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's get the author to comment and then you can UpVote his comment and get him some Thank-You Karma since you like his app. He is a GREAT GUY: Hey @landen99 where are you and what are you up to lately? We've got some app-love happening here!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am in Houston getting ready for Hurricane Harvey to come in Friday through Monday. I would like to improve that app and even create a Cloud version, but I just can't find the time yet. All development help on the app is welcome. It still needs more extractions and dashboards.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
