I am trying to forward input from a universal forwarder to a regular Splunk installation on my desktop.
The universal forwarder was installed on a linux webapp server where I configured the inputs.conf (in the /etc/system/local dir) to take a scripted input (basically a bash script with a tail command of /var/log/messages piped to grep for a keyword). That is the only input I have configured in local. I restarted, checked logs, etc.
Unforunately I don't see the source, sourcetypes, or host for the linux webapp in the search homepage. I DO see the three windows hosts I installed a forwarder on, however they are pulling a log file for a client service. I feel like I am missing something somewhere. I tested the script for output, which it does. I double checked the syntax in input.conf. Im looking at the splunkd.log and I see the default directives:
Restart the universal forwarder. See if you are getting any data into the the test index on your desktop. (Just search for index=test. If you get the data, then something is wrong with your script. If you don't get the data, then something is probably wrong with your forwarder configuration.