We are wanting to modify our Splunk forwarders on workstations to look at other log files and I am curious how to go about doing this.The location of the log files on the computers are as follows. I am really new to Splunk.
Log Files within this path:
Log Files within this path:
Screen Capture Transfer Log Files
Hi @hastrike, in future please remember to include your paths, queries and anything with special characters between code tags (button with 1s and 0s) otherwise those characters will be removed when posting your comments.
Anyway, if you just want to add a new file input to your Universal Forwarder, the best place to start is here. You can also find all the advanced details by reading the inputs.conf specification.
In your particular case, it will probably be something like this what you need to configure in your inputs.conf:
[monitor://C:\Users\AppData\Local\Temp\inin_tracing\*.ininlog] disabled = 0 index = your_index_name sourcetype = your_sourcetype_name [monitor://C:\Windows\Temp\inin_tracing\*.ininlog] disabled = 0 index = your_index_name sourcetype = your_sourcetype_name
can your sourcetype be different but index be the same between all the different locations you are monitoring? So the index name might be the name of the application and the source type might be ICCLient, screencapture, interactionadministrator, etc.... for each section.
I would just add each monitored folder for log one right below each other in the inputs.conf file.
Is there any thing I need to change on the outputs.conf?
I guess my other question is that we do have forwarders on the computers reporting back some information. Would we just modify the input.conf file with the other folders we want to monitor and the output.conf is the same for all inputs or anytime we want to monitor another folder with logs do we have to have a separate splunk forwarder output.conf file as well as input file?
Both index and sourcetype can be different if you want to.
You usually tend to group similar sources by the same sourcetype and then use index to group data by retention and access control. There are obviously lots of other considerations, so this is on a very high level.
With regards to your second question. If you follow the right steps to configure your outputs.conf, then in principle you don't need to modify that again unless you want to do things like redirecting to multiple destinations, etc.
Take a look at these two Wikis, they are both great and should be part of any Splunk 101 training course:
So I do have one question on this if you have a path that you want to look at the logs in a folder with that specific date on it can you just put like this in the path of file for it to analyze the day it is and pick the folder with the correct date?
index = i3
sourcetype = interactionclient
ignoreOlderThan = 1y
[monitor://c:\users\%userprofile%\AppData\Local\Temp\inin_Tracing\<Current Date>\screencaptureclient*] disabled=0 index = i3 sourcetype = screencapture_client ignoreOlderThan = 1y
This would be the actual code I was going to use for the input.conf forwarder.
Hi, you can't use dynamic paths in your monitor stanza as far as I know.
You will need to hardcode the exact full path in advance or use regex to specify a date format:
You can use whitelists and blacklists to monitor only those files you are interested in:
Keep in mind Splunk is going to remember which files it has already parsed.
Add the log file stanza to your SPLUNK_HOME/etc/system/local/inputs.conf
[monitor://C:\Users\AppDate\Local\Temp\inin_tracing\interactionclient_*.ininlog] index= your index name other fileds=other vlaues [monitor://C:\Windows\Temp\inin_tracing\screencapturetransferserviceu_*.ininlog] index= your index name other fileds=other vlaues
See here for reference : http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Editinputs.conf