Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use same input stanza across multiple apps

bkwoka
Explorer
‎01-08-2019 12:03 PM

I am looking to use multiple [WinEventLog://Security] inputs. For example I would like one inputs.conf to be capturing event 6278 in one app and capturing 4724, 4722, 4725 in a separate app. The problem is that Splunk is only using the last input stanza and so it seems to be impossible to have multiple apps with the [WinEventLog://Security] stanza even though they capture different events, have different sourcetypes and send to different indexes.

0 Karma
Reply

deepashri_123
Motivator
‎01-08-2019 11:50 PM

Hey@bkwoka,

The input is not app specific , the data can be seen across all apps. You can restrict the data to be searched on user level. You can restrict the eventcodes/apps to be searched while creating the roles.
Refer this link:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Security/Addandeditroles

Let me know if this helps!!

0 Karma
Reply

mikemizener
Explorer
‎01-08-2019 02:44 PM

Hi @bkwoka .

Is the end result to capture specific EventCodes? EventCodes can be included in whitelists/blacklists:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/MonitorWindowseventlogdata#Create_advanced_f...

0 Karma
Reply

Vijeta
Influencer
‎01-08-2019 01:12 PM

You can add your stanza to inputs.conf under etc/apps//local.
That way you will have 2 different inputs.conf with same stanza name under different apps.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-08-2019 02:06 PM

Splunk merges the settings from conf files by stanza name. That means you can't have the same stanza in different apps do different things. The settings from the apps will be combined, with the app first in alphabetical order winning if more than one app tries to set the same attribute.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Vijeta
Influencer
‎01-08-2019 02:18 PM

I haven’t tried though but thought naming same stanza in different app folders would work . Thanks for sharing !

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...