Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

One Server; Two Apps; Conflicting WinEventLog:Application settings

MasterOogway
Communicator
‎10-28-2010 07:45 PM

I have a single server "abc123" that is part of two separate server classes within a deployment server configuration file, with each server class having a different setting for allowing WinEventLog:Application to be enabled / disabled. The snippet from each class looks like this:

Finger is the Deployment Server root@finger:/opt/splunk/depot># find . -name inputs.conf | xargs grep -A1 WinEventLog:Application

./ecommerce_windows/local/inputs.conf:[WinEventLog:Application] ./ecommerce_windows/local/inputs.conf-disabled = 0

./dsi_windows/local/inputs.conf:[WinEventLog:Application] ./dsi_windows/local/inputs.conf-disabled = 1

When I look for server "abc123" with WinEventLog:Application it appears like dsi_windows App wins out by the disabled = 1 (true) setting. I can't simply enable WinEventLog:Application because the other 50 servers would start to index the same data.

Can you have two separate settings for disable / enable WinEvenLog:Application living in two separate Apps directories? How do you determine who wins out?

pstein

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎10-28-2010 08:13 PM

Yes, I believe you can. The winner is determined by order of precedence:

http://www.splunk.com/base/Documentation/latest/Admin/Wheretofindtheconfigurationfiles#Order_of_prec...

The easiest way to figure out which one is effective is to use btool:

./splunk cmd btool inputs list

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎10-28-2010 08:13 PM

Yes, I believe you can. The winner is determined by order of precedence:

http://www.splunk.com/base/Documentation/latest/Admin/Wheretofindtheconfigurationfiles#Order_of_prec...

The easiest way to figure out which one is effective is to use btool:

./splunk cmd btool inputs list
Reply
Solved! Jump to solution

MasterOogway
Communicator
‎10-28-2010 09:30 PM

Great!...so in my case dsi_windows trumps ecommerce_windows dsi_windows = 0/1 based on Alphabetic order.
ARAITZ Rocks!

0 Karma
Reply
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...