Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is this the correct stanza and location to monitor specific files on a *nix server with a universal forwarder?

w0lverineNOP
Path Finder
‎01-28-2016 04:22 AM

I am trying to have my universal forwarder monitor a specific file or sets of files on a *nix server:
Would this be the correct stanza to place into my outputs.conf file location?: /opt/spplunkforwarder/etc/system/local

stanza:

[monitor:///var/log/xxxxx/*]

Source: http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Configureforwarderswithoutputs.confd

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jbjerke_splunk
Splunk Employee
Splunk Employee
‎01-28-2016 04:31 AM

Hi w0lverineNOP

You configure the monitoring of files in inputs.conf . Outputs.conf defines where the forwarder should send the data it is capturing in inputs.conf.

Does that make sense?

The correct entry in inputs.conf would be something like this:

[monitor:///var/log/access.log]
disabled = false
sourcetype = access_combined

You can also use wildcards with the * symbol.

Full docs here:
http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/inputsconf

Let me know how you get along.

j

View solution in original post

Reply
Solved! Jump to solution
Solution

jbjerke_splunk
Splunk Employee
Splunk Employee
‎01-28-2016 04:31 AM

Hi w0lverineNOP

You configure the monitoring of files in inputs.conf . Outputs.conf defines where the forwarder should send the data it is capturing in inputs.conf.

Does that make sense?

The correct entry in inputs.conf would be something like this:

[monitor:///var/log/access.log]
disabled = false
sourcetype = access_combined

You can also use wildcards with the * symbol.

Full docs here:
http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/inputsconf

Let me know how you get along.

j

Reply
Solved! Jump to solution

renjith_nair
SplunkTrust
SplunkTrust
‎01-28-2016 04:28 AM

Monitoring configurations should be in your inputs conf. ie : /opt/spplunkforwarder/etc/system/local/inputs.conf

See here : http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Editinputs.conf

For wildcard : http://docs.splunk.com/Documentation/Splunk/6.1/Data/Specifyinputpathswithwildcards

Happy Splunking!
Reply
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out >> Kudos to all the ...