https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442824#M77137 <P>So is the config above ok ( without the typo).</P> <P>we are setup for port 9998 using ssl certs signed by the client. And we do have other forwarders that are working ok.</P> <P>I can see the new indexer now found a config error.</P> Thu, 20 Dec 2018 21:38:01 GMT alanhowlett 2018-12-20T21:38:01Z https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442820#M77133 <P>I'm trying to configure splunk to ingest two application logfiles, not the event logs the actual application logfile (text).</P> <P>Its my first time ingesting windows forwarder logs (I'm a linux man really), but I did read that it can be done in the inputs.conf so I tried the below:</P> <P>[monitor://D:\lfbank\wincsl\logs\wincsl-service.log]<BR /> disabled = 0<BR /> index = wincsl<BR /> souurcetype = lfab_wincsl1</P> <P>[monitor://D:\inetpub\logs\logfiles\W3SVC*]<BR /> disabled = 0<BR /> index = wincsl<BR /> souurcetype = lfab_wincsl2</P> <P>I do have an outputs.conf configured, but am still seeing no data.</P> Thu, 20 Dec 2018 17:04:54 GMT https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442820#M77133 alanhowlett 2018-12-20T17:04:54Z https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442821#M77134 <P>Does the wincsl index exist? Also, not sure if this is a typo in your question, or if this is the way your inputs.conf looks, but sourcetype is spelled incorrectly It has two u's.</P> Thu, 20 Dec 2018 17:11:56 GMT https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442821#M77134 kmorris_splunk 2018-12-20T17:11:56Z https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442822#M77135 <P>Corrected the typo drrrrrr. Still not working.</P> <P>If I look in the GUI I don't see the index, but I have another built and that does show up either. But works.</P> Thu, 20 Dec 2018 17:24:19 GMT https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442822#M77135 alanhowlett 2018-12-20T17:24:19Z https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442823#M77136 <P>Set your search to All Time, just in case there are timestamping issues. You can also click on the Data Summary which has host, source and sourcetype tabs where you can look at all of the values for each to see if you can see the values you are expecting for any of those metadata fields.</P> <P>Also, make sure you have no firewalls blocking the traffic. I'm making the assumption that you are already listening on port 9997 on your indexers as well. </P> Thu, 20 Dec 2018 21:30:41 GMT https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442823#M77136 kmorris_splunk 2018-12-20T21:30:41Z https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442824#M77137 <P>So is the config above ok ( without the typo).</P> <P>we are setup for port 9998 using ssl certs signed by the client. And we do have other forwarders that are working ok.</P> <P>I can see the new indexer now found a config error.</P> Thu, 20 Dec 2018 21:38:01 GMT https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442824#M77137 alanhowlett 2018-12-20T21:38:01Z https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442825#M77138 <P>What does your splunk forwarder logs say, are there any lines including the names of these logs?</P> Thu, 20 Dec 2018 22:35:10 GMT https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442825#M77138 briancronrath 2018-12-20T22:35:10Z https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442826#M77139 <P>I don't have access to the forwarders. I'm just using the deployment server to send the configs out.</P> <P>I'm going to have to check things tomorrow with the engineer on site.</P> <P>As long as my syntax is ok.</P> Thu, 20 Dec 2018 22:57:44 GMT https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442826#M77139 alanhowlett 2018-12-20T22:57:44Z https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442827#M77140 <P>You need to add <CODE>WindEventLog:Application</CODE> stanza before monitor.<BR /> For Example:</P> <PRE><CODE>[WinEventLog:Application] disabled = 0 start_from = oldest current_only = 0 </CODE></PRE> Tue, 28 Jan 2020 23:13:06 GMT https://community.splunk.com/t5/Getting-Data-In/windows-application-log-files/m-p/442827#M77140 vsai0718 2020-01-28T23:13:06Z