Can Splunk universal forwarders handle and forward newly created log files? I would like to forward data as raw logs to a remote server and not a splunk indexer using the splunk forwarder, but is it smart enough to trigger upon file creation?
if you specify a directory in the inputs.conf being used by the forwarder in question, and the log file is created in that directory, it will get forwarded automatically.
for details about how Splunk monitors files and directories: http://www.splunk.com/base/Documentation/latest/Data/Monitorfilesanddirectories
details on how forwarders can get data: http://www.splunk.com/base/Documentation/latest/Data/Usingforwardingagents
i missed that you were talking about forwarding to a third-party (not splunk) host, here is the info for that:
http://www.splunk.com/base/Documentation/latest/Deploy/Forwarddatatothird-partysystemsd
if you specify a directory in the inputs.conf being used by the forwarder in question, and the log file is created in that directory, it will get forwarded automatically.
for details about how Splunk monitors files and directories: http://www.splunk.com/base/Documentation/latest/Data/Monitorfilesanddirectories
details on how forwarders can get data: http://www.splunk.com/base/Documentation/latest/Data/Usingforwardingagents
i missed that you were talking about forwarding to a third-party (not splunk) host, here is the info for that:
http://www.splunk.com/base/Documentation/latest/Deploy/Forwarddatatothird-partysystemsd