I have read another Q&A
http://answers.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux
but I'm confused whether the steps should be done on the receiver or the sender.
thanks in advance
Hi windyita,
universal forwarder is the sender and indexer is the receiver, so
hope this helps ...
cheers, MuS
Hi windyita,
universal forwarder is the sender and indexer is the receiver, so
hope this helps ...
cheers, MuS
I actually did as what you have said, but in step 7:
Step 7: Add Data:
/opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%
This will create a file: inputs.conf in /opt/splunk/etc/apps/search/local/
Note: System logs in /var/log/ are covered in the configuration part of Step 7. If you have application logs in /var/log/*/
I didn't find inputs.conf in /opt/splunk/etc/apps/search/local/
What is the reason ? thx