|
I have a single server "abc123" that is part of two separate server classes within a deployment server configuration file, with each server class having a different setting for allowing WinEventLog:Application to be enabled / disabled. The snippet from each class looks like this: Finger is the Deployment Server root@finger:/opt/splunk/depot># find . -name inputs.conf | xargs grep -A1 WinEventLog:Application ./ecommerce_windows/local/inputs.conf:[WinEventLog:Application] ./ecommerce_windows/local/inputs.conf-disabled = 0 ./dsi_windows/local/inputs.conf:[WinEventLog:Application] ./dsi_windows/local/inputs.conf-disabled = 1 When I look for server "abc123" with WinEventLog:Application it appears like dsi_windows App wins out by the disabled = 1 (true) setting. I can't simply enable WinEventLog:Application because the other 50 servers would start to index the same data. Can you have two separate settings for disable / enable WinEvenLog:Application living in two separate Apps directories? How do you determine who wins out? pstein |
|
Yes, I believe you can. The winner is determined by order of precedence: The easiest way to figure out which one is effective is to use btool: Great!...so in my case dsi_windows trumps ecommerce_windows dsi_windows = 0/1 based on Alphabetic order. ARAITZ Rocks!
(28 Oct '10, 21:30)
MasterOogway
|
