How to check if the input.conf updated on Universa...

tungpx · ‎10-21-2024

Hello,

I have a deployment server and deploy an app on an Universal Forwarder, like I usually do (Create an app folder -> create local folder -> write input.conf -> setup app, server class on DS, tick disable/enable app, tick restart Splunkd). But after make sure the log path and permission of the log file (664), I don't see the log forwarded.

I'm only manage the Splunk Deloyment but not the server that host universal forwarder so I asked the system team to check it for me. After sometime, they get back to me and said there is no change on the input.conf file. They have to manually restart splunk on the Universal Forwarder and after that I see the log finally ingested.

So I want to know if there is an app, or a way to check if the app or the input.conf was changed according to my config on the DS or not, I can't ask the system team to check for it for me all time time.

Thank you.

gcusello · ‎10-21-2024

Hi @tungpx ,

the usual way to see if a Forwarder configuration is updated is to chech if updates are running or not, but anyway you could try to create an index time field with the update version and check it.

This is a description about how to do it: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Configureindex-timefieldextraction

Ciao.

Giuseppe

How to check if the input.conf updated on Universal Forwarder or not

host

inputs.conf

monitor

universal forwarder

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Are you a member of the Splunk Community?