https://community.splunk.com/t5/Getting-Data-In/Collect-logfiles/m-p/231273#M99013 <P>Hey DriesVloeberghen,</P> <P>as someone who isn't into your config it would be helpful for me if you could post your inputs.conf of the UF.</P> <HR /> <P>I try to suggest some possible solutions to your problem.</P> <UL> <LI>Check your inputs.conf [monitor-stanza] The stanza is a perfect place to spot faulty configuration Monitoring files under C:\Test (if Test ist actually the name of your file) should result in the following stanza:</LI> </UL> <P><STRONG>[monitor://C:\Test]</STRONG></P> <UL> <LI>If "Test" is actually a directory in which the files are placed it should look like the following:</LI> </UL> <P><STRONG>[monitor://C:\Test\*]</STRONG></P> <UL> <LI>If "Test" is actually a file and might be an .txt you should write that into your stanza:</LI> </UL> <P><STRONG>[monitor://C:\Test.txt]</STRONG><BR /> or you could do something like this<BR /> <STRONG>[monitor://C:\Test*]</STRONG></P> <UL> <LI>Has the user who runs the UF on the System (if not the root user) sufficient permissions to read the files under C:\Test ?</LI> </UL> <HR /> <P>Best regards,<BR /> pyro_wood</P> Wed, 17 Aug 2016 16:12:45 GMT horsefez 2016-08-17T16:12:45Z https://community.splunk.com/t5/Getting-Data-In/Collect-logfiles/m-p/231270#M99010 <P>I want to collect logfiles in Splunk through the Universal Forwarder.<BR /> I've set up a forward for the logs of the eventviewer and that is working!<BR /> But now I've set up a forward for logs on a specific location C:\Test, but that's not working. (there are log-files in it of course)<BR /> What can be the reason? How can I check what's being wrong?</P> Wed, 17 Aug 2016 14:19:49 GMT https://community.splunk.com/t5/Getting-Data-In/Collect-logfiles/m-p/231270#M99010 DriesVloeberghe 2016-08-17T14:19:49Z https://community.splunk.com/t5/Getting-Data-In/Collect-logfiles/m-p/231271#M99011 <P>Did you restart the forwarder?</P> Wed, 17 Aug 2016 15:33:54 GMT https://community.splunk.com/t5/Getting-Data-In/Collect-logfiles/m-p/231271#M99011 richgalloway 2016-08-17T15:33:54Z https://community.splunk.com/t5/Getting-Data-In/Collect-logfiles/m-p/231272#M99012 <P>Troubleshooting Monitor inputs can be troublesome it can usually be solved by inspecting the Splunkd.log, familiarity with btool and my favorite hit the rest endpoint on the forwarder to see the current status of the tailingprocessor. </P> <P>Although this Wiki is old it has great information for troubleshooting monitor inputs:</P> <P><A href="http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs">http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs</A></P> Wed, 17 Aug 2016 16:06:16 GMT https://community.splunk.com/t5/Getting-Data-In/Collect-logfiles/m-p/231272#M99012 dgrubb_splunk 2016-08-17T16:06:16Z https://community.splunk.com/t5/Getting-Data-In/Collect-logfiles/m-p/231273#M99013 <P>Hey DriesVloeberghen,</P> <P>as someone who isn't into your config it would be helpful for me if you could post your inputs.conf of the UF.</P> <HR /> <P>I try to suggest some possible solutions to your problem.</P> <UL> <LI>Check your inputs.conf [monitor-stanza] The stanza is a perfect place to spot faulty configuration Monitoring files under C:\Test (if Test ist actually the name of your file) should result in the following stanza:</LI> </UL> <P><STRONG>[monitor://C:\Test]</STRONG></P> <UL> <LI>If "Test" is actually a directory in which the files are placed it should look like the following:</LI> </UL> <P><STRONG>[monitor://C:\Test\*]</STRONG></P> <UL> <LI>If "Test" is actually a file and might be an .txt you should write that into your stanza:</LI> </UL> <P><STRONG>[monitor://C:\Test.txt]</STRONG><BR /> or you could do something like this<BR /> <STRONG>[monitor://C:\Test*]</STRONG></P> <UL> <LI>Has the user who runs the UF on the System (if not the root user) sufficient permissions to read the files under C:\Test ?</LI> </UL> <HR /> <P>Best regards,<BR /> pyro_wood</P> Wed, 17 Aug 2016 16:12:45 GMT https://community.splunk.com/t5/Getting-Data-In/Collect-logfiles/m-p/231273#M99013 horsefez 2016-08-17T16:12:45Z https://community.splunk.com/t5/Getting-Data-In/Collect-logfiles/m-p/231274#M99014 <P>Ok thanks, it seems that the logfiles of yesterday are in. But then I've got 2 other questions.<BR /> - after how many time the files are uploaded?<BR /> - it seems that I have to search on: source="c:\test\test1.log" - How can I search on a folder?</P> Thu, 18 Aug 2016 06:17:43 GMT https://community.splunk.com/t5/Getting-Data-In/Collect-logfiles/m-p/231274#M99014 DriesVloeberghe 2016-08-18T06:17:43Z