Getting Data In

Splunk add monitor not sending log to splunk cloud

aanataliya
Explorer

Hi I am newbie. I have installed splunk universal forwarder on windows client to forward log on Splunk Cloud. When I run below command, it executes without any error. But when I check /etc/local/inputs.conf file there is no section of monitor.

/splunk add monitor "D:\SGN" -index qa -sourcetype test_log -host <myip>

Also, If I execute list monitor command then also it shows monitored directory. How do I debug or find out whats wrong.

Note: I am creating AWS EC2 instance by passing UF installation scripts in userdata. in case, if it makes any difference.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi aanataliya,
when you say that there isn't any stanza in /etc/local/inputs.conf, are you speaking of
$SPLUNK_HOME\etc\system\local\inputs.conf
or what? you said that Universal Forwarder is running on Windows client.

At the same time, beware to the command , in $SPLUNK_HOME\bin that is

splunk add monitor "D:\SGN" -index qa -sourcetype test_log -host <myip>

without the slash at the beginning (you have to use ./ on Linux).

Anyway, try the following command on Forwarder, in $SPLUNK_HOME\bin:

splunk cmd btool inputs list --debug > my_file_inputs.txt

In this way you can find where was stored the stanza that you configured with your command.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...