Editing Splunk input and output.conf files

i need to redirect the input and output.conf files for my workstations so it see my current splunk server. which is the correct location of the file?

C:\Program Files\SplunkUniversalForwarder\etc\system\local

or

C:\Program Files\SplunkUniversalForwarder\etc\system\default
LVL 2
NxJNYAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
btanConnect With a Mentor Exec ConsultantCommented:
Change the local, not the default.

Configuration files are stored in:

Default files (Do not edit these preconfigured files.): $SPLUNK_HOME/etc/system/default

Editable local files: $SPLUNK_HOME/etc/system/local

App files: $SPLUNK_HOME/etc/apps/

Splunk Enterprise and apps write configuration settings into configuration files.

 You can configure settings and processes by editing stanzas within copies of the default configuration files.
http://docs.splunk.com/Splexicon:Configurationfile


You should leave the default intact - No change.

http://docs.splunk.com/Documentation/Forwarder/6.4.3/Forwarder/Configuretheuniversalforwarder

For e.g. to note
Default versions of outputs.conf

The universal forwarder ships with these default versions of outputs.conf:

 One in $SPLUNK_HOME/etc/system/default.

 Another in $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/default.

The default version in the SplunkUniversalForwarder app has precedence over the version under /etc/system/default.

Do not edit default versions of any configuration files
0
 
NxJNYAuthor Commented:
i am getting this error when i log into splunk. does this mean the servers cert expired or my splunk cert expired

09-28-2016 13:03:58.540 -0400 ERROR TcpInputProc - Error encountered for connection from src=192.100.1.25:0195. error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
0
 
btanConnect With a Mentor Exec ConsultantCommented:
It is an issue of certificate expiration.

Splunk default SSL certificate is valid for three years. So, when Splunk InputTcpProc validates a SSL certificate, it recognized it as invalid certificate. As default, Splunk initial installation generate "three" years valid certificates.

http://docs.splunk.com/Documentation/Splunk/6.0/Security/ConfigureSplunkforwardingtousesignedcertificates

Unless the rootCA has expired, you only need a new server certificate. Use splunk createssl server-cert to create a new one certificate to replace the one you are using.
0
 
btanExec ConsultantCommented:
As per advice.
0
All Courses

From novice to tech pro — start learning today.