Use same input stanza across multiple apps

bkwoka · ‎01-08-2019

I am looking to use multiple [WinEventLog://Security] inputs. For example I would like one inputs.conf to be capturing event 6278 in one app and capturing 4724, 4722, 4725 in a separate app. The problem is that Splunk is only using the last input stanza and so it seems to be impossible to have multiple apps with the [WinEventLog://Security] stanza even though they capture different events, have different sourcetypes and send to different indexes.

deepashri_123 · ‎01-08-2019

Hey@bkwoka,

The input is not app specific , the data can be seen across all apps. You can restrict the data to be searched on user level. You can restrict the eventcodes/apps to be searched while creating the roles.
Refer this link:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Security/Addandeditroles

Let me know if this helps!!

mikemizener · ‎01-08-2019

Hi @bkwoka .

Is the end result to capture specific EventCodes? EventCodes can be included in whitelists/blacklists:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/MonitorWindowseventlogdata#Create_advanced_f...

Vijeta · ‎01-08-2019

You can add your stanza to inputs.conf under etc/apps//local.
That way you will have 2 different inputs.conf with same stanza name under different apps.

richgalloway · ‎01-08-2019

Splunk merges the settings from conf files by stanza name. That means you can't have the same stanza in different apps do different things. The settings from the apps will be combined, with the app first in alphabetical order winning if more than one app tries to set the same attribute.

---
If this reply helps you, Karma would be appreciated.

Vijeta · ‎01-08-2019

I haven’t tried though but thought naming same stanza in different app folders would work . Thanks for sharing !

Use same input stanza across multiple apps

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk