https://community.splunk.com/t5/Getting-Data-In/Forwarding-a-scripted-input-from-var-log-messages/m-p/27313#M4573 <P>I am trying to forward input from a universal forwarder to a regular Splunk installation on my desktop.</P> <P>The universal forwarder was installed on a linux webapp server where I configured the inputs.conf (in the /etc/system/local dir) to take a scripted input (basically a bash script with a tail command of /var/log/messages piped to grep for a keyword). That is the only input I have configured in local. I restarted, checked logs, etc. </P> <P>Unforunately I don't see the source, sourcetypes, or host for the linux webapp in the search homepage. I DO see the three windows hosts I installed a forwarder on, however they are pulling a log file for a client service. I feel like I am missing something somewhere. I tested the script for output, which it does. I double checked the syntax in input.conf. Im looking at the splunkd.log and I see the default directives:</P> <P>TailingProcessor - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk<BR /> etc..</P> <P>I do not see my script://tail_daemon.sh directive. </P> <P>I'm not sure where else to look for errors. </P> Thu, 08 Nov 2012 05:52:40 GMT aschoen 2012-11-08T05:52:40Z https://community.splunk.com/t5/Getting-Data-In/Forwarding-a-scripted-input-from-var-log-messages/m-p/27313#M4573 <P>I am trying to forward input from a universal forwarder to a regular Splunk installation on my desktop.</P> <P>The universal forwarder was installed on a linux webapp server where I configured the inputs.conf (in the /etc/system/local dir) to take a scripted input (basically a bash script with a tail command of /var/log/messages piped to grep for a keyword). That is the only input I have configured in local. I restarted, checked logs, etc. </P> <P>Unforunately I don't see the source, sourcetypes, or host for the linux webapp in the search homepage. I DO see the three windows hosts I installed a forwarder on, however they are pulling a log file for a client service. I feel like I am missing something somewhere. I tested the script for output, which it does. I double checked the syntax in input.conf. Im looking at the splunkd.log and I see the default directives:</P> <P>TailingProcessor - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk<BR /> etc..</P> <P>I do not see my script://tail_daemon.sh directive. </P> <P>I'm not sure where else to look for errors. </P> Thu, 08 Nov 2012 05:52:40 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarding-a-scripted-input-from-var-log-messages/m-p/27313#M4573 aschoen 2012-11-08T05:52:40Z https://community.splunk.com/t5/Getting-Data-In/Forwarding-a-scripted-input-from-var-log-messages/m-p/27314#M4574 <P>Note that the file name is inputs.conf, not input.conf. That could be your problem. But if that's not it, read on...</P> <P>As a test, ask the universal forwarder to monitor a regular file, instead of just running a scripted input. For example, on the desktop, create an index named <CODE>test</CODE> and then</P> <P>On the linux web app server, add the following to your inputs.conf:</P> <PRE><CODE>[monitor:///var/log/messages] index=test sourcetype=messages </CODE></PRE> <P>Restart the universal forwarder. See if you are getting any data into the the test index on your desktop. (Just search for <CODE>index=test</CODE>. If you get the data, then something is wrong with your script. If you don't get the data, then something is probably wrong with your forwarder configuration.</P> <P>Look here for help troubleshooting your forwarder: <A href="http://splunk-base.splunk.com/answers/465/ive-set-up-a-forwarder-but-im-not-receving-any-events-on-the-splunk-indexer">http://splunk-base.splunk.com/answers/465/ive-set-up-a-forwarder-but-im-not-receving-any-events-on-the-splunk-indexer</A></P> Thu, 08 Nov 2012 07:06:43 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarding-a-scripted-input-from-var-log-messages/m-p/27314#M4574 lguinn2 2012-11-08T07:06:43Z