topic input.conf first timer in Getting Data In https://community.splunk.com/t5/Getting-Data-In/input-conf-first-timer/m-p/66705#M13403 <P>All, </P> <P>I just finished day 1 of the administration of Splunk class. Gotta admit to being lost.So I fired up a lab, 3 VMs. splunk01, host01, deploy01 and DC01 (for DNS). </P> <P>Installed Splunk on Splunk01 and it worked. Enabled the listening on 9997. Installed the forwarders on host01. I can see the host check in when I do a search with <CODE>index=_internal *splunkforwarder*</CODE> as we did in the class. </P> <P>But I made my own little "app". I created a folder under /opt/splunkforwarder/etc/myappname and folder under there called /local</P> <P>My inputs.conf which I placed in /local reads as follows</P> <PRE><CODE>[monitor:///var/log/messages] disabled = 0 index=main </CODE></PRE> <P>I restarted the forwarder, waited. Nothing ever came through. Any ideas to what I should be checking now? </P> Tue, 18 Dec 2012 05:18:35 GMT daniel333 2012-12-18T05:18:35Z input.conf first timer https://community.splunk.com/t5/Getting-Data-In/input-conf-first-timer/m-p/66705#M13403 <P>All, </P> <P>I just finished day 1 of the administration of Splunk class. Gotta admit to being lost.So I fired up a lab, 3 VMs. splunk01, host01, deploy01 and DC01 (for DNS). </P> <P>Installed Splunk on Splunk01 and it worked. Enabled the listening on 9997. Installed the forwarders on host01. I can see the host check in when I do a search with <CODE>index=_internal *splunkforwarder*</CODE> as we did in the class. </P> <P>But I made my own little "app". I created a folder under /opt/splunkforwarder/etc/myappname and folder under there called /local</P> <P>My inputs.conf which I placed in /local reads as follows</P> <PRE><CODE>[monitor:///var/log/messages] disabled = 0 index=main </CODE></PRE> <P>I restarted the forwarder, waited. Nothing ever came through. Any ideas to what I should be checking now? </P> Tue, 18 Dec 2012 05:18:35 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-first-timer/m-p/66705#M13403 daniel333 2012-12-18T05:18:35Z Re: input.conf first timer https://community.splunk.com/t5/Getting-Data-In/input-conf-first-timer/m-p/66706#M13404 <P>You have ommitted the apps directory from the path :</P> <P>/opt/splunkforwarder/etc/<STRONG>apps</STRONG>/myappname/local/inputs.conf</P> Tue, 18 Dec 2012 06:47:44 GMT https://community.splunk.com/t5/Getting-Data-In/input-conf-first-timer/m-p/66706#M13404 Damien_Dallimor 2012-12-18T06:47:44Z