Hi,
I installed a UF on a windows server, and asked it to monitor Forwarding Events, but I don't see anything create in inputs.conf. Is it stored anywhere?
What are "forwarding events" , is it a WinEventLog channel ?
inputs.conf can be in many locations.
Hi @wildbird,
Great 😊
"splunk apply shcluster-bundle" command is for Deployer to push the apps from $SPLUNK_HOME/etc/shcluster/apps to Search Head Cluster members.
https://docs.splunk.com/Documentation/Splunk/8.1.3/DistSearch/PropagateSHCconfigurationchanges
"splunk reload deploy-server" command is for Deployment Server to update Deployment server apps/serverclass bundles hashes on $SPLUNK_HOME/etc/deployment-apps folder. Deployment clients like Universal Forwarders will get the new apps on their next requests.
https://docs.splunk.com/Documentation/Splunk/8.1.3/Updating/Updateconfigurations
Sometimes it is confusing since both commands is related to Deploy 😀
Hİ @wildbird,
splunk apply shcluster-bundle --target https://SH:8089 --answer-yes
Ths command is not for deployment server, you should use below instead;
splunk reload deploy-server
Hi @scelikok
it's solved my issue!
Thank you very much!
can you please help me understand what I did wrong?
when do I use: Splunk apply shcluster-bundle and when to use splunk reload deploy-server?
I have a similar issue, I have created an app distributed it to my windows server2016 and only the app.conf appears on the server after deployment
steps I did:
please advise
What are "forwarding events" , is it a WinEventLog channel ?
inputs.conf can be in many locations.
Just found it - MSI.... Thanks.
When you install the forwarder, the gui asks if you want to monitor certain files, and that's one of them.