Hello Gekoner,
After issuing "splunk monitor /var/log/squid/access.log -sourcetype squid" command, the following is appended to the inputs.conf file in the "/opt/splunkforwarder/etc/apps/search/local" directory:
[monitor:///var/log/squid/access.log]
disabled = false
sourcetype = squid
And after the "splunk add forward-server 192.168.2.2:9997" command, the following gets appended to the outputs.conf file in the "/opt/splunkforwarder/etc/system/local" directory:
[tcpout]
defaultGroup = 192.168.2.2_9997
disabled = false
[tcpout:192.168.2.2_9997]
server = 192.168.2.2:9997
[tcpout-server://192.168.2.2:9997]
So I believe that what you are talking about is being done when I give splunk the commands mentioned above. I am not sure what other inputs.conf or outputs.conf are there for me to put the info in.
Even after a restart, if I issue the add monitor command again, it won't let me because it says the file is already being monitored. So there must be a file somewhere that knows I already issued the add monitor command. Even after I delete the info in the inputs.conf file and reissue the add monitor command, it still won't let me because it thinks I am already monitoring it.
... View more