I'm wondering with Splunk Cloud, how does one migrate log inputs that are watching a directory and grabbing new files as they come in? Obviously Splunk Cloud has no access to my systems anymore, so how does one go about migrating these type of jobs to Splunk Cloud?
@tmblue - Did the answer provided by kmccririe help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
You can certainly set up a forwarder to do this. You would install that forwarder where it can access those various directories you want to monitor, then take the inputs from the inputs.conf on your Splunk instance and put them on that forwarder.
If you aren't forwarding the data to your standalone Splunk instances there is probably an inputs.conf on the indexer bringing in the data.
Regardless of where the inputs.conf is you will need the stanzas in that conf file that monitors the directories you want. You want those on the forwarder inputs.conf
You can then get the forwarder to send data to Splunk Cloud. You will need to download the Splunk Cloud forwarder credentials app and install it on the forwarder. Here is the directions https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/User/ForwardDataToSplunkCloudFromWindows
Where are you migrating from? Is this from on a prem installation to Splunk cloud? Are you using a forwarder?
I am trying to figure out what inputs you are mentioning and where they are located.
Thank you. i'm coming from a standalone installation at the moment. single indexer, search head etc. It currently has multiple inputs that are "watching various directories on a shared NFS volume" We are looking to migrate to Splunk Cloud and I'm trying to understand how I do this migration. Sounds like I need a forwarder to push to splunk cloud, but honestly I'm not 100% sure how I accomplish that from where I currently am (stand alone installation).