- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- location of configuration for inputs set up with i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have set up universal forwarders on Windows. During the setup one can specify to monitor a specific folder and not much more.
The folder and files under it are listed by running
splunk list monitor
however i would like to specify the target index, sourcetype and also perform some regex on the filename to set some properties.
I have had a look at every inputs.conf on the machine and fail to see the "[monitor:" stanza that tails this path.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did overlook $SPLUNK_HOME\etc\apps\MSICreated\inputs.conf as per aholzer ( http://answers.splunk.com/users/142151/aholzer )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did overlook $SPLUNK_HOME\etc\apps\MSICreated\inputs.conf as per aholzer ( http://answers.splunk.com/users/142151/aholzer )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
indeed, it was in the (somehow overlooked) \MSICreated 😕 thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Install the Splunk on Splunk app and go to Data Inputs -> File Monitor Inputs to see where this is likely configured and how it is set up. Also, search the entire Splunk Forwarder for any file named inputs.conf and then be sure to look in every one of those files. It might not be written into the file in the exact way you expect, so you may have to search for a subset of our file path, say just one directory in the path, to find it - or just look manually as there aren't that many places to look.
Jesse Trucks
Minister of Magic
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the heads up, i will have to check what firewall rules are needed in order to see the forwarder - i only see the main indexer in S.o.S. etc. but thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I find it highly unlikely that you searched ALL inputs.conf on the host. If these events are being generated from that host, then an inputs.conf must exist, the only question is where
If you set up the monitoring via the .msi it's probably under $SPLUNK_HOME\etc\apps\MSICreated\ either in local or default. On the bright side you can simply create an inputs.conf inside of $SPLUNK_HOME\etc\system\local and override the inputs.conf without having to find it. I wouldn't suggest this, because you now have to maintain this file rather than a file inside an app. You can do this as a last resort
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
