https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409029#M72555 <P>there are logs files in var\log\splunk (files like splunkd.log , health.log) so i changer the monitor to var\log\splunk\*.log but the type is also missing</P> Wed, 15 Aug 2018 18:27:51 GMT neermine 2018-08-15T18:27:51Z https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409021#M72547 <P>should we modify the props.conf and the transforms.conf when we create a now index and a new sourcetype ?</P> Wed, 15 Aug 2018 10:50:20 GMT https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409021#M72547 neermine 2018-08-15T10:50:20Z https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409022#M72548 <P>Hello,</P> <P>To create new index, you need to modify indexes.conf.<BR /> To assign new index and sourcetype to your data, you need to modify inputs.conf.<BR /> To configure settings to extract timestamps, fields from your data and to set event boundaries for your data, you need to modify props.conf.<BR /> To set parsing rules, you need to modify transforms.conf.</P> <P>If you can explain more about what you're trying to achieve, we can direct you to correct configuration file(s).</P> Wed, 15 Aug 2018 13:00:05 GMT https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409022#M72548 sudosplunk 2018-08-15T13:00:05Z https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409023#M72549 <P>i'm trying to assign new index and sourcetype to my data .. i did modify inputs.conf but it didn't work i thought may be it's not the only thing that i must do </P> Wed, 15 Aug 2018 13:12:10 GMT https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409023#M72549 neermine 2018-08-15T13:12:10Z https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409024#M72550 <P>What part of it did not work? You can't see data in your new index with your new sourcetype? Or the data isn't assigned to right index and sourcetype even after correctly defining your inputs.conf? Can you share your inputs.conf (mask unwanted information). Thanks.</P> Wed, 15 Aug 2018 13:15:48 GMT https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409024#M72550 sudosplunk 2018-08-15T13:15:48Z https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409025#M72551 <P>this is my inputs.conf in splunkuniversalforwarder\etc\system\local<BR /> [monitor:/C:\var\log*.log]<BR /> disabled=0<BR /> sourcetype= log<BR /> index =me<BR /> i also create a new sourcetype and index with the same names in splunk because they weren't created automaticlly and there is no events in my indexer <BR /> thanks.</P> Wed, 15 Aug 2018 13:25:00 GMT https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409025#M72551 neermine 2018-08-15T13:25:00Z https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409026#M72552 <P>I am assuming your monitor stanza is <CODE>[monitor://C:\var\log*.log]</CODE>.<BR /> Can you see your input when you run this command <CODE>splunk list inputstatus</CODE>?<BR /> Try expanding your time range. Search for "All-Time" to see if any data shows up?</P> <P>Please see that you've checked all the aspects listed here in <A href="http://docs.splunk.com/Documentation/Splunk/7.1.2/Troubleshooting/Cantfinddata">documentation</A>.</P> Wed, 15 Aug 2018 13:51:30 GMT https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409026#M72552 sudosplunk 2018-08-15T13:51:30Z https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409027#M72553 <P>when i do splunk list inputstatus i find c:\var\log*.log type = missing</P> Wed, 15 Aug 2018 15:26:47 GMT https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409027#M72553 neermine 2018-08-15T15:26:47Z https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409028#M72554 <P>This can mean, splunk is trying to monitor your file but the file is missing. Can you navigate to <CODE>C:\var\</CODE> folder and check if there are log files starting with <CODE>log</CODE> (because, according to your monitor stanza, splunk will <STRONG>ONLY</STRONG> read files starting with <CODE>log</CODE> and ending in <CODE>.log</CODE> extension. Also, please check if these log files have any data. </P> Wed, 15 Aug 2018 17:52:55 GMT https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409028#M72554 sudosplunk 2018-08-15T17:52:55Z https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409029#M72555 <P>there are logs files in var\log\splunk (files like splunkd.log , health.log) so i changer the monitor to var\log\splunk\*.log but the type is also missing</P> Wed, 15 Aug 2018 18:27:51 GMT https://community.splunk.com/t5/Getting-Data-In/new-index-and-sourcetype/m-p/409029#M72555 neermine 2018-08-15T18:27:51Z