Solved: How to configure universal forwarder on same sys a...

jd3lite · ‎08-20-2020

How, and what files specifically, do I configure to get data into Splunk enterprise from the localhost? I thought it would be as simple as modifying inputs.conf that I created (shown below), but that didn't change anything. Thoughts?

\Splunk\etc\apps\SplunkForwarder\local\inputs.conf

similar to the inputs.conf file on my system with Universal Forwarder:

'\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf

Setup:
Sys1: Windows 10, Splunk Enterprise
Sys2: Windows 10, Universal Forwarder

Logs from Sys2 are in Splunk Enterprise, but I can't see anything from Sys1.

Thanks!

jd3lite · ‎08-20-2020

Solved it, silly me. For those wondering and I hope this helps someone else. I simply didn't look around close enough.

Under Splunk Enterprise ->> Settings ->> Data Inputs ->> Local event log collection (Collect event logs from this machine.)

Just needed to open my eyes. Thanks!

View solution in original post

jd3lite · ‎08-20-2020

Solved it, silly me. For those wondering and I hope this helps someone else. I simply didn't look around close enough.

Under Splunk Enterprise ->> Settings ->> Data Inputs ->> Local event log collection (Collect event logs from this machine.)

Just needed to open my eyes. Thanks!

How to configure universal forwarder on same sys as Splunk Enterprise?

universal forwarder

Windows

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Join the Conversation