Solved

Editing Splunk input and output.conf files

Posted on 2016-09-15
4
69 Views
Last Modified: 2016-10-17
i need to redirect the input and output.conf files for my workstations so it see my current splunk server. which is the correct location of the file?

C:\Program Files\SplunkUniversalForwarder\etc\system\local

or

C:\Program Files\SplunkUniversalForwarder\etc\system\default
0
Comment
Question by:NxJNY
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
ID: 41814250
Change the local, not the default.

Configuration files are stored in:

Default files (Do not edit these preconfigured files.): $SPLUNK_HOME/etc/system/default

Editable local files: $SPLUNK_HOME/etc/system/local

App files: $SPLUNK_HOME/etc/apps/

Splunk Enterprise and apps write configuration settings into configuration files.

 You can configure settings and processes by editing stanzas within copies of the default configuration files.
http://docs.splunk.com/Splexicon:Configurationfile


You should leave the default intact - No change.

http://docs.splunk.com/Documentation/Forwarder/6.4.3/Forwarder/Configuretheuniversalforwarder

For e.g. to note
Default versions of outputs.conf

The universal forwarder ships with these default versions of outputs.conf:

 One in $SPLUNK_HOME/etc/system/default.

 Another in $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/default.

The default version in the SplunkUniversalForwarder app has precedence over the version under /etc/system/default.

Do not edit default versions of any configuration files
0
 
LVL 2

Author Comment

by:NxJNY
ID: 41820327
i am getting this error when i log into splunk. does this mean the servers cert expired or my splunk cert expired

09-28-2016 13:03:58.540 -0400 ERROR TcpInputProc - Error encountered for connection from src=192.100.1.25:0195. error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
ID: 41820904
It is an issue of certificate expiration.

Splunk default SSL certificate is valid for three years. So, when Splunk InputTcpProc validates a SSL certificate, it recognized it as invalid certificate. As default, Splunk initial installation generate "three" years valid certificates.

http://docs.splunk.com/Documentation/Splunk/6.0/Security/ConfigureSplunkforwardingtousesignedcertificates

Unless the rootCA has expired, you only need a new server certificate. Use splunk createssl server-cert to create a new one certificate to replace the one you are using.
0
 
LVL 63

Expert Comment

by:btan
ID: 41846301
As per advice.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

IT certifications are a concrete representation of continual learning on the part of the candidate.  Continual learning is necessary for the long term success of an IT professional, but are IT certifications the right path for you?
When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question