I am trying to have my universal forwarder monitor a specific file or sets of files on a *nix server:
Would this be the correct stanza to place into my outputs.conf file location?: /opt/spplunkforwarder/etc/system/local
You configure the monitoring of files in inputs.conf . Outputs.conf defines where the forwarder should send the data it is capturing in inputs.conf.
Does that make sense?
The correct entry in inputs.conf would be something like this:
disabled = false
sourcetype = access_combined
You can also use wildcards with the * symbol.
Full docs here:
Let me know how you get along.
View solution in original post
Monitoring configurations should be in your inputs conf. ie : /opt/spplunkforwarder/etc/system/local/inputs.conf
See here : http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Editinputs.conf
For wildcard : http://docs.splunk.com/Documentation/Splunk/6.1/Data/Specifyinputpathswithwildcards