Getting Data In

Forwarding a scripted input from /var/log/messages

New Member

I am trying to forward input from a universal forwarder to a regular Splunk installation on my desktop.

The universal forwarder was installed on a linux webapp server where I configured the inputs.conf (in the /etc/system/local dir) to take a scripted input (basically a bash script with a tail command of /var/log/messages piped to grep for a keyword). That is the only input I have configured in local. I restarted, checked logs, etc.

Unforunately I don't see the source, sourcetypes, or host for the linux webapp in the search homepage. I DO see the three windows hosts I installed a forwarder on, however they are pulling a log file for a client service. I feel like I am missing something somewhere. I tested the script for output, which it does. I double checked the syntax in input.conf. Im looking at the splunkd.log and I see the default directives:

TailingProcessor - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk

I do not see my script:// directive.

I'm not sure where else to look for errors.

Tags (1)
0 Karma

Re: Forwarding a scripted input from /var/log/messages


Note that the file name is inputs.conf, not input.conf. That could be your problem. But if that's not it, read on...

As a test, ask the universal forwarder to monitor a regular file, instead of just running a scripted input. For example, on the desktop, create an index named test and then

On the linux web app server, add the following to your inputs.conf:


Restart the universal forwarder. See if you are getting any data into the the test index on your desktop. (Just search for index=test. If you get the data, then something is wrong with your script. If you don't get the data, then something is probably wrong with your forwarder configuration.

Look here for help troubleshooting your forwarder:

0 Karma