Hi I am newbie. I have installed splunk universal forwarder on windows client to forward log on Splunk Cloud. When I run below command, it executes without any error. But when I check /etc/local/inputs.conf file there is no section of monitor.
/splunk add monitor "D:\SGN" -index qa -sourcetype test_log -host <myip>
Also, If I execute list monitor command then also it shows monitored directory. How do I debug or find out whats wrong.
Note: I am creating AWS EC2 instance by passing UF installation scripts in userdata. in case, if it makes any difference.
Hi aanataliya,
when you say that there isn't any stanza in /etc/local/inputs.conf, are you speaking of
$SPLUNK_HOME\etc\system\local\inputs.conf
or what? you said that Universal Forwarder is running on Windows client.
At the same time, beware to the command , in $SPLUNK_HOME\bin
that is
splunk add monitor "D:\SGN" -index qa -sourcetype test_log -host <myip>
without the slash at the beginning (you have to use ./ on Linux).
Anyway, try the following command on Forwarder, in $SPLUNK_HOME\bin
:
splunk cmd btool inputs list --debug > my_file_inputs.txt
In this way you can find where was stored the stanza that you configured with your command.
Bye.
Giuseppe