I have a single server "abc123" that is part of two separate server classes within a deployment server configuration file, with each server class having a different setting for allowing WinEventLog:Application to be enabled / disabled. The snippet from each class looks like this:
Finger is the Deployment Server root@finger:/opt/splunk/depot># find . -name inputs.conf | xargs grep -A1 WinEventLog:Application
./ecommerce_windows/local/inputs.conf:[WinEventLog:Application] ./ecommerce_windows/local/inputs.conf-disabled = 0
./dsi_windows/local/inputs.conf:[WinEventLog:Application] ./dsi_windows/local/inputs.conf-disabled = 1
When I look for server "abc123" with WinEventLog:Application it appears like dsi_windows App wins out by the disabled = 1 (true) setting. I can't simply enable WinEventLog:Application because the other 50 servers would start to index the same data.
Can you have two separate settings for disable / enable WinEvenLog:Application living in two separate Apps directories? How do you determine who wins out?
pstein
Yes, I believe you can. The winner is determined by order of precedence:
The easiest way to figure out which one is effective is to use btool:
./splunk cmd btool inputs list
Yes, I believe you can. The winner is determined by order of precedence:
The easiest way to figure out which one is effective is to use btool:
./splunk cmd btool inputs list
Great!...so in my case dsi_windows trumps ecommerce_windows dsi_windows = 0/1 based on Alphabetic order.
ARAITZ Rocks!