- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Universal Forwarder Syntax for Inputs.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am new to Splunk and have just configured a universal forwarder on a remote windows server in order to forward all log files under a specified folder to the receiver
However I am not able to see the logs being piped to the receiver.
My settings for "inputs.conf" as follows:
[Monitor://\\program files\syslogd\logs]
Disable=0
Any help is appreciated
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure if it's typo in your post but the syntax should be:
[monitor://c:\program files\syslogd\logs]
disabled=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correction, inputs.conf has this:
[monitor://C:batonSites\VerificationManager\log]
disabled = 1
[monitor://C:batonSites\Workers\log]
disabled = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk.com
Documentation
Splunkbase
Answers
Wiki
Blogs
Developers
Sign UpLogin FAQ
HomeAnswersAppsuserstagsbadgesask a questionupload an app
Universal Forwarder Syntax for Inputs.conf
0
Hi, I am new to Splunk and have just configured a universal forwarder on a remote windows server in order to forward all log files under a specified folder to the receiver However I am not able to see the logs being piped to the receiver. My settings for "inputs.conf" as follows: [Monitor://\program files\syslogd\logs]
Disable=0
Any help is appreciated Thank you
inputsconf
asked 02 May '12, 23:22
fongkh76
11
accept rate:0%
edited 02 May '12, 23:40
Ayn
24.7k●3●7●17
Make sure your outputs.conf is correctly configured, as well. /k
(03 May '12, 01:08)kristian.kolb
One Answer:
oldestnewestmost voted
0
I am not sure if it's typo in your post but the syntax should be: [monitor://c:\program files\syslogd\logs]
disabled=false
link
answered 02 May '12, 23:34
MarioM
2.7k●4●7
accept rate:20%
Thank you so much. It worked perfect with your advised syntax
(03 May '12, 01:47)fongkh76
you welcome! then accept the answer for others looking at same issue,thanks!
(03 May '12, 02:01)MarioM
how do i accept the answer ?
(03 May '12, 02:13)fongkh76
on the left side of the answer and below the answer (before comments)
(03 May '12, 02:52)MarioM
Post your answer
Same problem; logs not being forwarded from a Windows server to pair of indexers. See configs below. A restart of a service "InterraBaton" on the monitored server does not show up on the Splunk via the search head but does show up in the logs on the IB server. Any ideas would b appreciated.
inputs.conf
[default]
index = default
_rcvbuf = 1572864
host = DDCIBVERMGR02
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=
.
.
.
[monitor://C:\batonSites\VerificationManager\log] <<< log 1
disabled = 1
[monitor://C:\batonSites\Workers\log] <<< log 2
disabled = 1
outputs.conf
[tcpout]
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
indexAndForward = false
autoLBFrequency = 30
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
forceTimebasedAutoLB = false
sendCookedData = true
connectionTimeout = 20
readTimeout = 300
writeTimeout = 300
useACK = true
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = XXX.YYY.138.158:9997,XXX.YYY.138.159:9997
[tcpout-server://XXX.YYY.138.158:9997]
[hide preview]
1324 characters / 164 words
Same problem; logs not being forwarded from a Windows server to pair of indexers. See configs below. A restart of a service "InterraBaton" on the monitored server does not show up on the Splunk via the search head but does show up in the logs on the IB server. Any ideas would b appreciated.
inputs.conf
[default] index = default rcvbuf = 1572864 host = DDCIBVERMGR02 evtresolveadobj = 0 evtdcname= evtdnsname=
. . .
[monitor://C:\batonSites\VerificationManager\log] <<< log 1 disabled = 1 [monitor://C:\batonSites\Workers\log] <<< log 2 disabled = 1
outputs.conf
[tcpout] maxQueueSize = 500KB forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = _audit forwardedindex.filter.disable = false indexAndForward = false autoLBFrequency = 30 blockOnCloning = true compressed = false disabled = false dropClonedEventsOnQueueFull = 5 dropEventsOnQueueFull = -1 heartbeatFrequency = 30 maxFailuresPerInterval = 2 secsInFailureInterval = 1 maxConnectionsPerIndexer = 2 forceTimebasedAutoLB = false sendCookedData = true connectionTimeout = 20 readTimeout = 300 writeTimeout = 300 useACK = true
defaultGroup = default-autolb-group
[tcpout:default-autolb-group] server = XXX.YYY.138.158:9997,XXX.YYY.138.159:9997
[tcpout-server://XXX.YYY.138.158:9997]
Privacy & Terms
0
inShare.
Follow this question
Email:
Log In to enable email subscriptions
RSS:
Answers
Answers + Comments
•
•
•
•
•
•
•
Tags:
inputs
conf
Asked: 02 May '12, 23:22
Seen: 799 times
Last updated: 03 May '12, 02:52
Related questions
Multiple index locations for forwarder
Universal Forwarder
Are "_meta"-entries still supported in inputs.conf?
syntax for scripted input in inputs.conf
How can I merge _meta from several inputs.conf files
List of valid [perfmon://] stanzas for inputs.conf
Splunk Universal forwarder inputs.conf
How to monitor assembly folder in windows ?
universal forwarder scripts linux
Privacy Policy | Terms of Use | Support
Copyright © 2005-2012 Splunk Inc. All rights reserved.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure your outputs.conf is correctly configured, as well.
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure if it's typo in your post but the syntax should be:
[monitor://c:\program files\syslogd\logs]
disabled=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
on the left side of the answer and below the answer (before comments)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how do i accept the answer ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you welcome! then accept the answer for others looking at same issue,thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much. It worked perfect with your advised syntax
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
