Deployment Architecture

Adding a Input (Folder) to Forwarder

raghu0463
Explorer

i was trying to add a folder to forwarder to read data but its giving me an error ..as your session is invalid. please login.
[root@localhost bin]# ./splunk add monitor /home/user/Desktop/Forward_Data -index my_db
Your session is invalid. Please login

user = admin
password = changeme

I have tried that login credentials but its not working either,
and the forwarder is added already i jus want to send the data form forwarder to indexer
so im trying to add Input (folder) to forwarder to monitor the data

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

You can reset the admin password like this:

https://answers.splunk.com/answers/834/how-could-i-reset-the-admin-password.html

You really should not be using the CLI manually like this. You should be using a configuration management system or a Deployment Server. If you really must keep the password the same and you must use the CLI, then you can do this:
Stop splunk.
Edit $SPLUNK_HOME/etc/apps/search/local/inputs.conf
Add this to the bottom:

[monitor:///home/user/Desktop/Forward_Data]
index = my_db

Save the file.
Restart Splunk.

View solution in original post

woodcock
Esteemed Legend

You can reset the admin password like this:

https://answers.splunk.com/answers/834/how-could-i-reset-the-admin-password.html

You really should not be using the CLI manually like this. You should be using a configuration management system or a Deployment Server. If you really must keep the password the same and you must use the CLI, then you can do this:
Stop splunk.
Edit $SPLUNK_HOME/etc/apps/search/local/inputs.conf
Add this to the bottom:

[monitor:///home/user/Desktop/Forward_Data]
index = my_db

Save the file.
Restart Splunk.

raghu0463
Explorer

More over i cannot see local folder in the search folder i could only see default and metadata..
@localhost search]# ls
default metadata

0 Karma

woodcock
Esteemed Legend

Create a new local folder (with same owner/permissions as default).

0 Karma

raghu0463
Explorer

after creating local folder do i need to create inputs.conf file too ?

0 Karma

woodcock
Esteemed Legend

Yes, go back to the top. DO NOT edit anything in the default directory.

0 Karma

raghu0463
Explorer

I have created the inputs.conf file in local folder and splunkforwarder is started
and I have checked connection with host system by pinging from forwarder everything is fine but when I was checking in the search head i was unable to read any data.

0 Karma

woodcock
Esteemed Legend

So are you all working now>

0 Karma

raghu0463
Explorer

the forwarder is added but i was unable to send data from forwarder to indexer ..

0 Karma

raghu0463
Explorer

Do i need to use this command in the OS where the forwarder is installed or in the OS where Splunk is installed.

0 Karma

woodcock
Esteemed Legend

What command?

0 Karma

raghu0463
Explorer

I was checking the command which u mentioned its not working for me, i have installed splunk in Windows and installed forwarder in Linux.
Actually I was trying to send data from forwarder to index, for this i was trying to add a folder( i.e add the path of the folder) to forwarder in linux but im facing a bit difficulty.

0 Karma

woodcock
Esteemed Legend

What "command I mentioned" do you mean (I do not see that I mentioned any commands)? Is there a reason that you installed the Indexer on Windows?

0 Karma

raghu0463
Explorer

I mean the path which u mentioned, i was bit confused because u gave "Splunk_home" which i was unable to see where i have installed forwarder. i was able to see only splunkforwarder.

0 Karma

adonio
Ultra Champion

hi raghu0463,
you are trying to add / modify a file (inputs.conf) not a folder.

0 Karma

raghu0463
Explorer

Actually my forwarder and indexer are in different systems and do I need to edit inputs.conf file for reading data from the particular folder or file and edit outputs.conf file to configure the indexer ip and port no, on forwarder location to send data,

and edit inputs.conf file on indexer system to receive the data from forwarder. could anyone please explain a bit clearly im bit confused, its taking a lot of time for me to do this configuration.

Thank You

0 Karma

adonio
Ultra Champion

you can also manually add the stanza to .../etc/system/local/inputs.conf
vi .../etc/system/local/inputs.conf

[monitor:///home/user/Desktop/Forward_Data]
index = my_db

save the file :wq

restart splunk

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You can rename the $SPLUNK_HOME/etc/passswd and restart splunkforwarder which will reset it to the default "changeme" password

0 Karma
Get Updates on the Splunk Community!

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Want a chance to win $500 to the Splunk shop? Take our IT Incident Management Survey!

  Top Trends & Best Practices in Incident ManagementSplunk is partnering up with Constellation Research to ...