Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where can I find the existing config files on our host machine? (New to Splunk!)

joshbola
New Member
‎08-17-2017 10:40 AM

Hello there everyone, wanted to reach out for help as I have taken a new role in my work life and I was give the duties on Splunk. I have never used it before, so I have been watching the education videos and learning. I am coming into an environment that already has Splunk setup.

I have a project request to add something to an existing Dashboard. The system that will be forwarding Data already has Universal Forwarder Installed and configured.

My questions is where can I find the existing config files on the host machines? I believe that is the file that I need to edit in order to forward data to Splunk for a new log.

Sorry but I am a newbie with this app, so learning continues...

Thank You

0 Karma
Reply

woodcock
Esteemed Legend
‎08-17-2017 05:28 PM

Are you using a Deployment Server or a Monitoring Console (which will tell you if you are using a DS)?

0 Karma
Reply

joshbola
New Member
‎08-17-2017 11:14 AM

Hello there Chris, thank you for your response and yes its a BIG task at hand to learn Splunk.

So the host machine is already forwarding data from other logs to the Indexer. I need to register a new log file to forward the data to indexer. I did find the inputs.conf and it looks like there is the host information and there is a Script with PATH File type pointing to Splunk-wmi.exe

Thank You

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎08-17-2017 10:49 AM

Welcome to the world of Splunk! It is a lot to learn. 🙂

If all you need to do is set up the indexer to receive data from a forwarder that is already configured, edit inputs.conf in $SPLUNK_HOME/etc/system/local. See Enable a receiver in the Forwarder Manual.

You should also familiarize yourself with the relevant parts of the Getting Data In manual.

Information about configuration files - their location and precedence - is in the Admin Manual. Start with About configuration files and read the topics that follow it.

Also, there is documentation specifically for people who have inherited a Splunk Enterprise deployment! It might also be useful for you. See Inherit a Splunk Enterprise Deployment.

Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...