Hello,
I have a certificate file that I want to index in Splunk. The file reside in "D:\somedir\name.cer"
I have tried to create a monitor stanza in inputs.conf but it's not showing up in Splunk.
[monitor://D:\somedir\name.cer]
sourcetype = CERTS
crcSalt = < SOURCE>
disabled = false
followTail = false
index = CERT_INDEX
But the files doesn't show up in Splunk? Is there a different way to monitor certificate files?
Thanks.
This wont work on UF, but take a look at this app : https://splunkbase.splunk.com/app/3172/#/details
It might be of interest to you. For your monitor statement, its correct, however that cert file is not a standard sourcetype that Splunk will recognize out of the box. Do you have a props defined for these files? You'll need to setup multiline and linebreaking.
Thanks @esix_splunk for the response. I will try that app.
Regarding the source type, I have not defined anything on the props.conf file but when I query the data in Splunk, I can see my defined source types available under "sourcetype" field.
Actually, my source types are generated by a script based on JVM name and is set on inputs.conf during forwarder setup.
Is this not the right way of doing it?
or may be I need to define custom fields and define source types based on data.