Re: Universal Forwarder - Add another Log FIle to ...

pgergen · ‎10-23-2011

Hi

I have a Linux Splunk Indexer.

How do I add another log file to be indexed by Splunk to the Universal Forwarder on a Windows Server ?

Many Thanks

Regards
Peta Gergen
peta.gergen@team.telstra.com

lalit_mohan · ‎11-13-2013

Hi Guys,

I have similar problem!!!

I have two instances one is splunk-server and other is splunk-forwarder(universalForwarder).
Everything is fine with configuration ,then I tried to monitor tomcat logs and I have perform below steps on forwarder.

/usr/share/splunk_setup/splunkforwarder/bin/splunk add monitor /usr/share/apache-tomcat-7.0.42/logs/catalina.out -index default -sourcetype log4j -hostname splunkforwarder

But in search tab of splunk-web I always get No results found.

Am I missing something !!!.Please help me out.
Thanks in advance!!

Ayn · ‎10-23-2011

There's a whole manual covering these topics in the docs. This should be a good place to start: http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureyourinputs

Long story short: either use the CLI or add a directive in in an inputs.conf file (for instance in $SPLUNK_HOME/etc/system/local).

CLI: $SPLUNK_HOME/bin/splunk add monitor <logdir>

inputs.conf: [monitor:///<logdir>]

Universal Forwarder - Add another Log FIle to Index

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio