Archive

Adding a Input (Folder) to Forwarder

Explorer

i was trying to add a folder to forwarder to read data but its giving me an error ..as your session is invalid. please login.
[root@localhost bin]# ./splunk add monitor /home/user/Desktop/ForwardData -index mydb
Your session is invalid. Please login

user = admin
password = changeme

I have tried that login credentials but its not working either,
and the forwarder is added already i jus want to send the data form forwarder to indexer
so im trying to add Input (folder) to forwarder to monitor the data

Tags (1)
0 Karma
1 Solution

Esteemed Legend

You can reset the admin password like this:

https://answers.splunk.com/answers/834/how-could-i-reset-the-admin-password.html

You really should not be using the CLI manually like this. You should be using a configuration management system or a Deployment Server. If you really must keep the password the same and you must use the CLI, then you can do this:
Stop splunk.
Edit $SPLUNK_HOME/etc/apps/search/local/inputs.conf
Add this to the bottom:

[monitor:///home/user/Desktop/Forward_Data]
index = my_db

Save the file.
Restart Splunk.

View solution in original post

Esteemed Legend

You can reset the admin password like this:

https://answers.splunk.com/answers/834/how-could-i-reset-the-admin-password.html

You really should not be using the CLI manually like this. You should be using a configuration management system or a Deployment Server. If you really must keep the password the same and you must use the CLI, then you can do this:
Stop splunk.
Edit $SPLUNK_HOME/etc/apps/search/local/inputs.conf
Add this to the bottom:

[monitor:///home/user/Desktop/Forward_Data]
index = my_db

Save the file.
Restart Splunk.

View solution in original post

Explorer

More over i cannot see local folder in the search folder i could only see default and metadata..
@localhost search]# ls
default metadata

0 Karma

Esteemed Legend

Create a new local folder (with same owner/permissions as default).

0 Karma

Explorer

after creating local folder do i need to create inputs.conf file too ?

0 Karma

Esteemed Legend

Yes, go back to the top. DO NOT edit anything in the default directory.

0 Karma

Explorer

I have created the inputs.conf file in local folder and splunkforwarder is started
and I have checked connection with host system by pinging from forwarder everything is fine but when I was checking in the search head i was unable to read any data.

0 Karma

Esteemed Legend

So are you all working now>

0 Karma

Explorer

the forwarder is added but i was unable to send data from forwarder to indexer ..

0 Karma

Explorer

Do i need to use this command in the OS where the forwarder is installed or in the OS where Splunk is installed.

0 Karma

Esteemed Legend

What command?

0 Karma

Explorer

I was checking the command which u mentioned its not working for me, i have installed splunk in Windows and installed forwarder in Linux.
Actually I was trying to send data from forwarder to index, for this i was trying to add a folder( i.e add the path of the folder) to forwarder in linux but im facing a bit difficulty.

0 Karma

Esteemed Legend

What "command I mentioned" do you mean (I do not see that I mentioned any commands)? Is there a reason that you installed the Indexer on Windows?

0 Karma

Explorer

I mean the path which u mentioned, i was bit confused because u gave "Splunk_home" which i was unable to see where i have installed forwarder. i was able to see only splunkforwarder.

0 Karma

SplunkTrust
SplunkTrust

hi raghu0463,
you are trying to add / modify a file (inputs.conf) not a folder.

0 Karma

Explorer

Actually my forwarder and indexer are in different systems and do I need to edit inputs.conf file for reading data from the particular folder or file and edit outputs.conf file to configure the indexer ip and port no, on forwarder location to send data,

and edit inputs.conf file on indexer system to receive the data from forwarder. could anyone please explain a bit clearly im bit confused, its taking a lot of time for me to do this configuration.

Thank You

0 Karma

SplunkTrust
SplunkTrust

you can also manually add the stanza to .../etc/system/local/inputs.conf
vi .../etc/system/local/inputs.conf

[monitor:///home/user/Desktop/Forward_Data]
index = my_db

save the file :wq

restart splunk

0 Karma

SplunkTrust
SplunkTrust

You can rename the $SPLUNK_HOME/etc/passswd and restart splunkforwarder which will reset it to the default "changeme" password

0 Karma