Hi
I've installed splunk indexer on a linux server and universal splunk forwarder on a windows machine,while installing the universal forwader I enabled few logs for forwarding such as
1 WinEventLog:Application
2 WinEventLog:System
3 Perfmon:CPU Load
4 Perfmon:Available Memory
5 Perfmon:Free Disk Space
And this is working as I see this the above splunk indexer ,NOw I want to remove this one and point my application logs in the universal forwader so that I can view the application logs in indexer
How to do this? I tried to do this by editing the input.conf file at /splunkhome/etc/system/local - but no luck - also I need to give new inputs such as my application logs - where do I add this in universal forwader?I'm kind of confused between inputs.conf and output.conf- Can any one please help
Note that the file should be called inputs.conf
, not input.conf
.
please look in $SPLUNK_HOME\etc\apps\<nameoftheapp>\local\input.conf
the app folder name may be MSIinstaller*, but i am not 100% sure.
You should find the ones built by the installer wizard, and use them a model to add new ones.
You can edit either, at the end splunk merges all the configuration from every enabled app and system.
What I was saying is that the inputs created by the windows installer are usually in an app named "MSIsomething". If you want to use them as model.
Are you saying that I have to edit the inputs.conf under $SPLUNK_HOME\etc\apps\MSlinstaller\input.conf and not under system\local\inputs.conf?