I have added monitoring with below command on my windows client.
./splunk add monitor C:\path\to.log -index qa -sourcetype pcs_log -host <ip>
I can see above path in monitored file list when I execute splunk list monitor
.
As per my understanding splunk add monitor
adds below stanza in inputs.conf. Isn't it? But I am unable to find these lines in any of inputs.conf file. I have checked /etc/system/local/inputs.conf but it doesnt have these values.
[monitor://path/to.log]
disabled = 0
setting1 = value
setting2 = value
...
I am using splunk cloud and installed universal forwarder. can you please help?
When you add a monitor from the CLI it goes to the search app, local, inputs config. $SPLUNK_HOME\etc\apps\search\local\inputs.conf
@aanataliya
The inputs.conf could be created under your app also. Easy way to find is using btool
./splunk cmd btool inputs list --debug | grep 'your known string'