All,
I just finished day 1 of the administration of Splunk class. Gotta admit to being lost.So I fired up a lab, 3 VMs. splunk01, host01, deploy01 and DC01 (for DNS).
Installed Splunk on Splunk01 and it worked. Enabled the listening on 9997. Installed the forwarders on host01. I can see the host check in when I do a search with index=_internal *splunkforwarder*
as we did in the class.
But I made my own little "app". I created a folder under /opt/splunkforwarder/etc/myappname and folder under there called /local
My inputs.conf which I placed in /local reads as follows
[monitor:///var/log/messages]
disabled = 0
index=main
I restarted the forwarder, waited. Nothing ever came through. Any ideas to what I should be checking now?
You have ommitted the apps directory from the path :
/opt/splunkforwarder/etc/apps/myappname/local/inputs.conf