Getting Data In
Highlighted

How do I set up a Splunk forwarder to monitor and forward log files within a certain path?

New Member

We are wanting to modify our Splunk forwarders on workstations to look at other log files and I am curious how to go about doing this.The location of the log files on the computers are as follows. I am really new to Splunk.

Log Files within this path: C:\Users\\AppData\Local\Temp\inin_tracing\

IC Client:

interactionclient.ininlog
interactionclient1.ininlog
interactionclient
2.ininlog

0 Karma
Highlighted

Re: How do I set up a Splunk forwarder to monitor and forward log files within a certain path?

New Member

other logs
Log Files within this path: C:\Windows\Temp\inin_tracing\

Screen Capture Transfer Log Files
screencapturetransferserviceu.ininlog
screencapturetransferserviceu1.ininlog
screencapturetransferserviceu
2.ininlog

0 Karma
Highlighted

Re: How do I set up a Splunk forwarder to monitor and forward log files within a certain path?

SplunkTrust
SplunkTrust

Hi @hastrike, in future please remember to include your paths, queries and anything with special characters between code tags (button with 1s and 0s) otherwise those characters will be removed when posting your comments.

Anyway, if you just want to add a new file input to your Universal Forwarder, the best place to start is here. You can also find all the advanced details by reading the inputs.conf specification.

In your particular case, it will probably be something like this what you need to configure in your inputs.conf:

[monitor://C:\Users\AppData\Local\Temp\inin_tracing\*.ininlog]
disabled = 0
index = your_index_name
sourcetype = your_sourcetype_name

[monitor://C:\Windows\Temp\inin_tracing\*.ininlog]
disabled = 0
index = your_index_name
sourcetype = your_sourcetype_name

View solution in original post

Highlighted

Re: How do I set up a Splunk forwarder to monitor and forward log files within a certain path?

New Member

can your sourcetype be different but index be the same between all the different locations you are monitoring? So the index name might be the name of the application and the source type might be ICCLient, screencapture, interactionadministrator, etc.... for each section.

I would just add each monitored folder for log one right below each other in the inputs.conf file.

Is there any thing I need to change on the outputs.conf?

0 Karma
Highlighted

Re: How do I set up a Splunk forwarder to monitor and forward log files within a certain path?

New Member

I guess my other question is that we do have forwarders on the computers reporting back some information. Would we just modify the input.conf file with the other folders we want to monitor and the output.conf is the same for all inputs or anytime we want to monitor another folder with logs do we have to have a separate splunk forwarder output.conf file as well as input file?

0 Karma
Highlighted

Re: How do I set up a Splunk forwarder to monitor and forward log files within a certain path?

SplunkTrust
SplunkTrust

Both index and sourcetype can be different if you want to.
You usually tend to group similar sources by the same sourcetype and then use index to group data by retention and access control. There are obviously lots of other considerations, so this is on a very high level.

With regards to your second question. If you follow the right steps to configure your outputs.conf, then in principle you don't need to modify that again unless you want to do things like redirecting to multiple destinations, etc.

Take a look at these two Wikis, they are both great and should be part of any Splunk 101 training course:

https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
https://wiki.splunk.com/Things_I_wish_I_knew_then

0 Karma
Highlighted

Re: How do I set up a Splunk forwarder to monitor and forward log files within a certain path?

New Member

So I do have one question on this if you have a path that you want to look at the logs in a folder with that specific date on it can you just put like this in the path of file for it to analyze the day it is and pick the folder with the correct date?

[monitor://c:\users\%userprofile%\AppData\Local\Temp\ininTracing\interactionclient*]
disabled=0
index = i3
sourcetype = interaction
client
ignoreOlderThan = 1y

0 Karma
Highlighted

Re: How do I set up a Splunk forwarder to monitor and forward log files within a certain path?

New Member
[monitor://c:\users\%userprofile%\AppData\Local\Temp\inin_Tracing\<Current Date>\screencaptureclient*]
disabled=0
index = i3
sourcetype = screencapture_client
ignoreOlderThan = 1y

This would be the actual code I was going to use for the input.conf forwarder.

0 Karma
Highlighted

Re: How do I set up a Splunk forwarder to monitor and forward log files within a certain path?

SplunkTrust
SplunkTrust

Hi, you can't use dynamic paths in your monitor stanza as far as I know.
You will need to hardcode the exact full path in advance or use regex to specify a date format:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Specifyinputpathswithwildcards

You can use whitelists and blacklists to monitor only those files you are interested in:

Keep in mind Splunk is going to remember which files it has already parsed.

0 Karma
Highlighted

Re: How do I set up a Splunk forwarder to monitor and forward log files within a certain path?

SplunkTrust
SplunkTrust

Add the log file stanza to your SPLUNK_HOME/etc/system/local/inputs.conf

[monitor://C:\Users\AppDate\Local\Temp\inin_tracing\interactionclient_*.ininlog]
index= your index name
other fileds=other vlaues

[monitor://C:\Windows\Temp\inin_tracing\screencapturetransferserviceu_*.ininlog]
index= your index name
other fileds=other vlaues

See here for reference : http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Editinputs.conf

0 Karma