https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-a-file-in-windows-forwarder-on-Splunk-instance-on/m-p/16883#M6765 <P>Hi Ahishek, </P> <P>You can set the data input via either the Web UI, command line or by editing config files. If you have set the Windows2003 server as a light forwarder then you will have to use the command line. </P> <P>Instructions to setup the data input via the Web UI are here:</P> <P><A href="http://www.splunk.com/base/Documentation/4.1.6/User/Adddatatutorial" rel="nofollow">http://www.splunk.com/base/Documentation/4.1.6/User/Adddatatutorial</A></P> <P>If you want to add a data input via the command line then use the following:</P> <P>%SPLUNK_HOME%\bin\splunk add monitor C:\Program Files(x86)\SSRPM\Service\Logging\SSRPMLog.log</P> <P>If you want to add the data source via a config file then you need to modify the following file:</P> <P>%SPLUNK_HOME%\etc\system\local\inputs.conf</P> <P>with the following:</P> <P>[monitor://c:\Program Files(x86)\SSRPM\Service\Logging\SSRPMLog.log] disabled = false followTail = 0</P> <P>You shouldn't have to restart the forwarder. The file needs to have data in it for you to see the forwarder and source on the indexer's summary search page. </P> <P>Hope that helps. </P> Tue, 01 Feb 2011 22:04:59 GMT tgow 2011-02-01T22:04:59Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-a-file-in-windows-forwarder-on-Splunk-instance-on/m-p/16880#M6762 <P>Hi, I have a Windows server 2003 which forwards data to Splunk instance on a Linux box. I want the file c:\Program Files(x86)\SSRPM\Service\Logging\SSRPMLog.log (which is there on the Windows forwarder) to be monitored on Splunk.</P> <P>How to do this?</P> <P>The way i understood it from the docs: [monitor:c:\Program Files(x86)\SSRPM\Service\Logging\SSRPMLog.log]</P> <P>I placed the above entry in c:\Program files\Splunk\etc\system\local\inputs.conf </P> <P>but its not getting indexed on the Splunk instance.</P> <P>Please help.</P> <P>Regards, Abhishek</P> Mon, 05 Jul 2010 19:48:35 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-a-file-in-windows-forwarder-on-Splunk-instance-on/m-p/16880#M6762 achouras 2010-07-05T19:48:35Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-a-file-in-windows-forwarder-on-Splunk-instance-on/m-p/16881#M6763 <P>First you need to verify that the Splunk instance on the Windows Server is forwarding to the Linux box. Once you verify that, then you can modify your inputs.conf on the Windows Server to accept the new file input. Once you restart the Forwarder, it should begin streaming data to the Splunk indexer. There are multiple questions and answers regarding troubleshooting of Splunk Forwarders, which you should review. Some common remedies for your symptoms include setting the correct index (existing on the Splunk indexer) and setting up the forwarder topology properly.</P> Tue, 06 Jul 2010 00:34:52 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-a-file-in-windows-forwarder-on-Splunk-instance-on/m-p/16881#M6763 Simeon 2010-07-06T00:34:52Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-a-file-in-windows-forwarder-on-Splunk-instance-on/m-p/16882#M6764 <P>sounds to me like you have not yet set up forwarding... try that first, and if so, try pasting the whole inputs.conf as well as your outputs.conf. Also make sure your indexer is set up to receive events.</P> Tue, 14 Sep 2010 06:35:37 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-a-file-in-windows-forwarder-on-Splunk-instance-on/m-p/16882#M6764 Genti 2010-09-14T06:35:37Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-a-file-in-windows-forwarder-on-Splunk-instance-on/m-p/16883#M6765 <P>Hi Ahishek, </P> <P>You can set the data input via either the Web UI, command line or by editing config files. If you have set the Windows2003 server as a light forwarder then you will have to use the command line. </P> <P>Instructions to setup the data input via the Web UI are here:</P> <P><A href="http://www.splunk.com/base/Documentation/4.1.6/User/Adddatatutorial" rel="nofollow">http://www.splunk.com/base/Documentation/4.1.6/User/Adddatatutorial</A></P> <P>If you want to add a data input via the command line then use the following:</P> <P>%SPLUNK_HOME%\bin\splunk add monitor C:\Program Files(x86)\SSRPM\Service\Logging\SSRPMLog.log</P> <P>If you want to add the data source via a config file then you need to modify the following file:</P> <P>%SPLUNK_HOME%\etc\system\local\inputs.conf</P> <P>with the following:</P> <P>[monitor://c:\Program Files(x86)\SSRPM\Service\Logging\SSRPMLog.log] disabled = false followTail = 0</P> <P>You shouldn't have to restart the forwarder. The file needs to have data in it for you to see the forwarder and source on the indexer's summary search page. </P> <P>Hope that helps. </P> Tue, 01 Feb 2011 22:04:59 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-a-file-in-windows-forwarder-on-Splunk-instance-on/m-p/16883#M6765 tgow 2011-02-01T22:04:59Z