I have installed Splunk Enterprise version locally and configured the below from Splunk Web.
1-forwarding host:port, (localhost:9997)
2-receiving port to match with the same port.(9997)
3- Data input to point to a directory (c:\data)
I don't see any data in search and reporting, even on adding files to the directory (c:\data)
Can I not use the same local instance as both a forwarder and indexer?
By default every Splunk instance can monitor the data locally (technically forwarder's functionality). Since you want to index the data locally and not to send/forward to any other indexer instance, you don't need to configure forwarding OR receiving. Just setup the data input and you should be good to go.
How are you configuring data inputs?? UI OR using inputs.conf?
Thanks a lot for the response. I am configuring using the UI. I added a directory in data input section and restarted splunk, but when i go to search and reporting section i dont see any data. Could you please let me know if i need to do any other configuration?
I would check few things
1) check if the data input is listed under data inputs and is in enabled state.
2) If you've access to the server, run following to see of the file that you posted has been monitored by Splunk OR not.
$SPLUNK_HOME/bin/splunk.exe list monitor
3) Since you added the data input from the UI, check if you're monitoring a file OR the directory (check in data input page). I'm guessing it would monitoring a specific file, so you would have to update the inputs.conf on the server to monitor the folder
4) check timestamp on the events in the file. and see if it's within the retention period of the index that you're using.
I might check the index/sourcetype being used in the search to see if it matches the values from data input
Thanks for the response. On running listmonitor i get below entry.
Please can you let me know where is inputs.conf and what to change it to make it a folder?
Thanks for your patience
Below is my inputs. conf file present in
disabled = false
whitelist = .
sourcetype = csv
index = test