Hello,
I have problem with Splunk Forwarder.
Currently, i monitor a dir (/var/log/httpd/*) but it automatic delete old log and insert new log. Index default is "main".
I want to store with new index name "weblog", i have do:
- Step 1: delete all log httpd with search query: "source=httpd | delete"
- Step 2: remove old monitoring and add new: ./splunk add monitor "/var/log/httpd/*" -index weblog -sourcetype newsource
But it not working.
I use command below it working but not define new index: ./splunk add monitor "/var/log/httpd/*" -sourcetype newsource
Can you help me resolve my problem?
Thanks.
... View more