Hi Kristian,
Thanks for your reply. Regarding your questions:
a) I'm syslogging straight into a remote Splunk server
b) Yes
c) Yes, all common files like messages,mail.warn etc
d) Yes
e) Which of the inputs.conf you want?
/home/splunk/etc/apps/sample_app/default/inputs.conf
/home/splunk/etc/apps/SplunkDeploymentMonitor/local/inputs.conf
/home/splunk/etc/apps/SplunkLightForwarder/default/inputs.conf
/home/splunk/etc/apps/SplunkUniversalForwarder/default/inputs.conf
/home/splunk/etc/apps/unix/default.old.20101206-173730/inputs.conf
/home/splunk/etc/apps/unix/default.old.20110318-103823/inputs.conf
/home/splunk/etc/apps/unix/default.old.20110318-103823/inputs.conf.in
/home/splunk/etc/modules/distributedDeployment/classes/deployable/inputs.conf
/home/splunk/etc/system/default/inputs.conf
/home/splunk/etc/system/local/inputs.conf
/home/splunk/etc/system/README/inputs.conf.example
/home/splunk/etc/system/README/inputs.conf.spec
In case that you need the /home/splunk/etc/system/default/inputs.conf, its content is:
... View more