Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use same input stanza across multiple apps

bkwoka
Explorer
‎01-08-2019 12:03 PM

I am looking to use multiple [WinEventLog://Security] inputs. For example I would like one inputs.conf to be capturing event 6278 in one app and capturing 4724, 4722, 4725 in a separate app. The problem is that Splunk is only using the last input stanza and so it seems to be impossible to have multiple apps with the [WinEventLog://Security] stanza even though they capture different events, have different sourcetypes and send to different indexes.

0 Karma
Reply

deepashri_123
Motivator
‎01-08-2019 11:50 PM

Hey@bkwoka,

The input is not app specific , the data can be seen across all apps. You can restrict the data to be searched on user level. You can restrict the eventcodes/apps to be searched while creating the roles.
Refer this link:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Security/Addandeditroles

Let me know if this helps!!

0 Karma
Reply

mikemizener
Explorer
‎01-08-2019 02:44 PM

Hi @bkwoka .

Is the end result to capture specific EventCodes? EventCodes can be included in whitelists/blacklists:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/MonitorWindowseventlogdata#Create_advanced_f...

0 Karma
Reply

Vijeta
Influencer
‎01-08-2019 01:12 PM

You can add your stanza to inputs.conf under etc/apps//local.
That way you will have 2 different inputs.conf with same stanza name under different apps.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-08-2019 02:06 PM

Splunk merges the settings from conf files by stanza name. That means you can't have the same stanza in different apps do different things. The settings from the apps will be combined, with the app first in alphabetical order winning if more than one app tries to set the same attribute.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Vijeta
Influencer
‎01-08-2019 02:18 PM

I haven’t tried though but thought naming same stanza in different app folders would work . Thanks for sharing !

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...