Solved: How to configure universal forwarder on same sys a...

jd3lite · ‎08-20-2020

How, and what files specifically, do I configure to get data into Splunk enterprise from the localhost? I thought it would be as simple as modifying inputs.conf that I created (shown below), but that didn't change anything. Thoughts?

\Splunk\etc\apps\SplunkForwarder\local\inputs.conf

similar to the inputs.conf file on my system with Universal Forwarder:

'\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf

Setup:
Sys1: Windows 10, Splunk Enterprise
Sys2: Windows 10, Universal Forwarder

Logs from Sys2 are in Splunk Enterprise, but I can't see anything from Sys1.

Thanks!

jd3lite · ‎08-20-2020

Solved it, silly me. For those wondering and I hope this helps someone else. I simply didn't look around close enough.

Under Splunk Enterprise ->> Settings ->> Data Inputs ->> Local event log collection (Collect event logs from this machine.)

Just needed to open my eyes. Thanks!

View solution in original post

jd3lite · ‎08-20-2020

Solved it, silly me. For those wondering and I hope this helps someone else. I simply didn't look around close enough.

Under Splunk Enterprise ->> Settings ->> Data Inputs ->> Local event log collection (Collect event logs from this machine.)

Just needed to open my eyes. Thanks!

How to configure universal forwarder on same sys as Splunk Enterprise?

universal forwarder

Windows

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!