Documentation/Splunk/6.5.0/Admin/Inputsconf ??

which of these should i edit.

now in input.conf in local direcotry is only the Splunk enteprise.There should i add the forwarders?an example how it would like?

Thanks!!

Under your SPLUNK_HOME/etc/system/local.. Post the contents of your inputs.conf and outputs.conf

I'll give an example when I get home

You will need to modify the inputs.conf and outputs.conf on the remote host where the forwarder is installed under /opt/splunkforwarder/etc/system/local

The inputs.conf file will look like this

[default]
 host = YOUR_HOSTNAME

 [monitor:///var/log/nginx/access.log]
 disabled = false
 sourcetype = YOUR_SOURCETYPE
 index = YOUR_INDEX

You will need to include the path and filename you want to monitor

Your outputs.conf file will look like this

[tcpout]
 defaultGroup = xxx.xx.xx.xxx_9997

 [tcpout:xxx.xx.xx.xxx_9997]
 server = xxx.xx.xx.xxx:9997

 [tcpout-server://xxx.xx.xx.xxx:9997]

The xxx.xx.xx.xxx will be the indexer IP or VIP if in a clustered environment

Don't forget to restart the Splunk service on the forwarder after making these changes! Also make sure you created the index in Splunk which you defined in the inputs.conf

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 9997 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 9997 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9997 -m state --state ESTABLISHED -j ACCEPT
COMMIT

thats what i have now!but still cant send data!

in Linux what should i configure for Firewall because i am still not receiving data.
Now its on athe active list the Forwarder
8089 and 9997 should be opened in Forwarder in order to communicate withe indexer?