https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42492#M7919 <P>I am not sure if it's typo in your post but the syntax should be:</P> <PRE><CODE>[monitor://c:\program files\syslogd\logs] disabled=false </CODE></PRE> Thu, 03 May 2012 06:34:39 GMT MarioM 2012-05-03T06:34:39Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42491#M7918 <P>Hi,</P> <P>I am new to Splunk and have just configured a universal forwarder on a remote windows server in order to forward all log files under a specified folder to the receiver</P> <P>However I am not able to see the logs being piped to the receiver.</P> <P>My settings for "inputs.conf" as follows:</P> <PRE><CODE>[Monitor://\\program files\syslogd\logs] Disable=0 </CODE></PRE> <P>Any help is appreciated</P> <P>Thank you</P> Thu, 03 May 2012 06:22:37 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42491#M7918 fongkh76 2012-05-03T06:22:37Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42492#M7919 <P>I am not sure if it's typo in your post but the syntax should be:</P> <PRE><CODE>[monitor://c:\program files\syslogd\logs] disabled=false </CODE></PRE> Thu, 03 May 2012 06:34:39 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42492#M7919 MarioM 2012-05-03T06:34:39Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42493#M7920 <P>Make sure your outputs.conf is correctly configured, as well. </P> <P>/k</P> Thu, 03 May 2012 08:08:00 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42493#M7920 kristian_kolb 2012-05-03T08:08:00Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42494#M7921 <P>Thank you so much. It worked perfect with your advised syntax</P> Thu, 03 May 2012 08:47:58 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42494#M7921 fongkh76 2012-05-03T08:47:58Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42495#M7922 <P>you welcome! then accept the answer for others looking at same issue,thanks!</P> Thu, 03 May 2012 09:01:26 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42495#M7922 MarioM 2012-05-03T09:01:26Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42496#M7923 <P>how do i accept the answer ?</P> Thu, 03 May 2012 09:13:30 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42496#M7923 fongkh76 2012-05-03T09:13:30Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42497#M7924 <P>on the left side of the answer and below the answer (before comments)</P> Thu, 03 May 2012 09:52:27 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42497#M7924 MarioM 2012-05-03T09:52:27Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42498#M7925 <P>Splunk.com<BR /> Documentation<BR /> Splunkbase<BR /> Answers<BR /> Wiki<BR /> Blogs<BR /> Developers</P> <P>Sign UpLogin FAQ</P> <P>HomeAnswersAppsuserstagsbadgesask a questionupload an app</P> <P>Universal Forwarder Syntax for Inputs.conf</P> <P>0 </P> <P>Hi, I am new to Splunk and have just configured a universal forwarder on a remote windows server in order to forward all log files under a specified folder to the receiver However I am not able to see the logs being piped to the receiver. My settings for "inputs.conf" as follows: [Monitor://\program files\syslogd\logs]</P> <P>Disable=0<BR /> Any help is appreciated Thank you<BR /> inputsconf</P> <P>asked 02 May '12, 23:22</P> <P>fongkh76<BR /> 11<BR /> accept rate:0%</P> <P>edited 02 May '12, 23:40</P> <P>Ayn<BR /> 24.7k●3●7●17</P> <P>Make sure your outputs.conf is correctly configured, as well. /k<BR /> (03 May '12, 01:08)kristian.kolb</P> <HR /> <P>One Answer:</P> <P>oldestnewestmost voted</P> <P>0 </P> <P>I am not sure if it's typo in your post but the syntax should be: [monitor://c:\program files\syslogd\logs]<BR /> disabled=false</P> <P>link</P> <P>answered 02 May '12, 23:34</P> <P>MarioM<BR /> 2.7k●4●7<BR /> accept rate:20%</P> <P>Thank you so much. It worked perfect with your advised syntax<BR /> (03 May '12, 01:47)fongkh76</P> <P>you welcome! then accept the answer for others looking at same issue,thanks!<BR /> (03 May '12, 02:01)MarioM</P> <P>how do i accept the answer ?<BR /> (03 May '12, 02:13)fongkh76</P> <P>on the left side of the answer and below the answer (before comments)<BR /> (03 May '12, 02:52)MarioM</P> <P>Post your answer</P> <P>Same problem; logs not being forwarded from a Windows server to pair of indexers. See configs below. A restart of a service "InterraBaton" on the monitored server does not show up on the Splunk via the search head but does show up in the logs on the IB server. Any ideas would b appreciated.</P> <H6>inputs.conf</H6> <P>[default]<BR /> index = default<BR /> _rcvbuf = 1572864<BR /> host = DDCIBVERMGR02<BR /> evt_resolve_ad_obj = 0<BR /> evt_dc_name=<BR /> evt_dns_name=</P> <P>.<BR /> .<BR /> .</P> <P>[monitor://C:\batonSites\VerificationManager\log] &lt;&lt;&lt; log 1<BR /> disabled = 1<BR /> [monitor://C:\batonSites\Workers\log] &lt;&lt;&lt; log 2<BR /> disabled = 1</P> <H6>outputs.conf</H6> <P>[tcpout]<BR /> maxQueueSize = 500KB<BR /> forwardedindex.0.whitelist = .*<BR /> forwardedindex.1.blacklist = _.*<BR /> forwardedindex.2.whitelist = _audit<BR /> forwardedindex.filter.disable = false<BR /> indexAndForward = false<BR /> autoLBFrequency = 30<BR /> blockOnCloning = true<BR /> compressed = false<BR /> disabled = false<BR /> dropClonedEventsOnQueueFull = 5<BR /> dropEventsOnQueueFull = -1<BR /> heartbeatFrequency = 30<BR /> maxFailuresPerInterval = 2<BR /> secsInFailureInterval = 1<BR /> maxConnectionsPerIndexer = 2<BR /> forceTimebasedAutoLB = false<BR /> sendCookedData = true<BR /> connectionTimeout = 20 <BR /> readTimeout = 300<BR /> writeTimeout = 300 <BR /> useACK = true</P> <P>defaultGroup = default-autolb-group</P> <P>[tcpout:default-autolb-group]<BR /> server = XXX.YYY.138.158:9997,XXX.YYY.138.159:9997</P> <P>[tcpout-server://XXX.YYY.138.158:9997]</P> <P>[hide preview]</P> <P>1324 characters / 164 words</P> <P>Same problem; logs not being forwarded from a Windows server to pair of indexers. See configs below. A restart of a service "InterraBaton" on the monitored server does not show up on the Splunk via the search head but does show up in the logs on the IB server. Any ideas would b appreciated.</P> <P>inputs.conf</P> <P>[default] index = default rcvbuf = 1572864 host = DDCIBVERMGR02 evtresolveadobj = 0 evtdcname= evtdnsname=</P> <P>. . .</P> <P>[monitor://C:\batonSites\VerificationManager\log] &lt;&lt;&lt; log 1 disabled = 1 [monitor://C:\batonSites\Workers\log] &lt;&lt;&lt; log 2 disabled = 1</P> <P>outputs.conf</P> <P>[tcpout] maxQueueSize = 500KB forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = _audit forwardedindex.filter.disable = false indexAndForward = false autoLBFrequency = 30 blockOnCloning = true compressed = false disabled = false dropClonedEventsOnQueueFull = 5 dropEventsOnQueueFull = -1 heartbeatFrequency = 30 maxFailuresPerInterval = 2 secsInFailureInterval = 1 maxConnectionsPerIndexer = 2 forceTimebasedAutoLB = false sendCookedData = true connectionTimeout = 20 readTimeout = 300 writeTimeout = 300 useACK = true</P> <P>defaultGroup = default-autolb-group</P> <P>[tcpout:default-autolb-group] server = XXX.YYY.138.158:9997,XXX.YYY.138.159:9997</P> <P>[tcpout-server://XXX.YYY.138.158:9997]</P> <P>Privacy &amp; Terms </P> <P>0<BR /> inShare.</P> <P>Follow this question<BR /> Email:<BR /> Log In to enable email subscriptions<BR /> RSS:<BR /> Answers</P> <P>Answers + Comments</P> <P>•<BR /> •<BR /> •<BR /> •<BR /> •<BR /> •<BR /> •</P> <P>Tags: </P> <P>inputs <BR /> conf </P> <P>Asked: 02 May '12, 23:22</P> <P>Seen: 799 times</P> <P>Last updated: 03 May '12, 02:52</P> <P>Related questions</P> <P>Multiple index locations for forwarder</P> <P>Universal Forwarder</P> <P>Are "_meta"-entries still supported in inputs.conf?</P> <P>syntax for scripted input in inputs.conf</P> <P>How can I merge _meta from several inputs.conf files</P> <P>List of valid [perfmon://] stanzas for inputs.conf</P> <P>Splunk Universal forwarder inputs.conf</P> <P>How to monitor assembly folder in windows ?</P> <P>universal forwarder scripts linux</P> <P>Privacy Policy | Terms of Use | Support</P> <P>Copyright © 2005-2012 Splunk Inc. All rights reserved. </P> Mon, 28 Sep 2020 13:55:10 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42498#M7925 hokie1999 2020-09-28T13:55:10Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42499#M7926 <P>Correction, inputs.conf has this:</P> <P>[monitor://C:batonSites\VerificationManager\log]<BR /> disabled = 1<BR /> [monitor://C:batonSites\Workers\log]<BR /> disabled = 1</P> Thu, 16 May 2013 16:05:19 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Syntax-for-Inputs-conf/m-p/42499#M7926 hokie1999 2013-05-16T16:05:19Z