Universal Forwarder and folder monitoring

gdavid · ‎06-29-2012

I installed a universal forwarder on my workstation to test monitoring some server directories for changes.
during the install i selected monitored c:\mytestfolder
i see events coming into my index but i can't find which inputs.conf file on my workstation it's specified in.

also for some reason the events come in like this.
WARN FileClassifierManager - The file 'C:\MyTestFolder\Tulips.jpg' is invalid. Reason: binary
INFO TailingProcessor - Ignoring file 'C:\MyTestFolder\Tulips.jpg' due to: binary

gdavid · ‎06-29-2012

finally found it. it seems that settings that come in during the install are located in
C:/Program Files/SplunkUniversalForwarder/etc/apps/MSICreated/local

gdavid · ‎06-29-2012

no local folder under [etc/apps/search/]
the default folder has an empty inputs.conf

i may be using the wrong monitor. i want to see file/directory changes, not parse the files.
but until i can find where monitor is specified i cant change it.

Kate_Lawrence-G · ‎06-29-2012

I believe in the windows version the inputs.conf is located under the etc/apps/search/local directory.
You also should probably exclude the JPG files in that inputs.conf file as it is binary and will throw that type of message in the splunkd.log (/var/log/splunk/splunkd.log)

Thanks,

Kate

Universal Forwarder and folder monitoring

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio