Hello Everyone,
We are trying to monitor specific local paths on a remote server (Remote01) and send the data to Splunk, either in an existing index or a new one.
We have installed a Universal Forwarder on the remote server and were able to fetch data from one folder (\\Remote01\e$\Document-DEF\Folder01) under the default index (index=main).
However, we are unable to monitor a second folder (\\Remote01\e$\Document-GHI\Folder02) because the Universal Forwarder setup file only allows for one path.
We are facing the following challenges and would appreciate any guidance or advice on how to overcome them and successfully monitor both folders on the remote server in Splunk:
1. We can't create a new index for the remote server.
2. We can't get any information from the other folder we want to monitor ('Folder02').
3. We can't get information from the remote server in the existing index.
So in short, we can monitor one folder on the remote server Remote01 but unsure how to configure the forwarder to monitor a second folder on the same Remote01 server.
Thanks in advance for your help!
https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/MonitorfilesanddirectoriesusingtheCLI
But I would strongly advise reading through all https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/WhatSplunkcanmonitor
Also, please don't use the main index. Create another one(s) depending on your needs but the main index shouldn't really be used in production. It's a default index so typically events from misconfigured inputs go there, it's not meant as an index for production data.
We have created new index in the Splunk and modifying the input.conf file (\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local) where we have installed the Splunk Forwarder remote server.
Here we have added the newly created index with the new required folder path.
For Example :
[monitor://T:\New]
index = new1
disabled = false
But it did not work here.