We have set up universal forwarders on Windows. During the setup one can specify to monitor a specific folder and not much more.
The folder and files under it are listed by running
splunk list monitor
however i would like to specify the target index, sourcetype and also perform some regex on the filename to set some properties.
I have had a look at every inputs.conf on the machine and fail to see the "[monitor:" stanza that tails this path.
I did overlook $SPLUNK_HOME\etc\apps\MSICreated\inputs.conf as per aholzer ( http://answers.splunk.com/users/142151/aholzer )
I did overlook $SPLUNK_HOME\etc\apps\MSICreated\inputs.conf as per aholzer ( http://answers.splunk.com/users/142151/aholzer )
indeed, it was in the (somehow overlooked) \MSICreated 😕 thanks!
Install the Splunk on Splunk app and go to Data Inputs
-> File Monitor Inputs
to see where this is likely configured and how it is set up. Also, search the entire Splunk Forwarder for any file named inputs.conf
and then be sure to look in every one of those files. It might not be written into the file in the exact way you expect, so you may have to search for a subset of our file path, say just one directory in the path, to find it - or just look manually as there aren't that many places to look.
thanks for the heads up, i will have to check what firewall rules are needed in order to see the forwarder - i only see the main indexer in S.o.S. etc. but thanks.
I find it highly unlikely that you searched ALL inputs.conf on the host. If these events are being generated from that host, then an inputs.conf must exist, the only question is where
If you set up the monitoring via the .msi it's probably under $SPLUNK_HOME\etc\apps\MSICreated\
either in local or default. On the bright side you can simply create an inputs.conf inside of $SPLUNK_HOME\etc\system\local
and override the inputs.conf without having to find it. I wouldn't suggest this, because you now have to maintain this file rather than a file inside an app. You can do this as a last resort