I am trying to have my universal forwarder monitor a specific file or sets of files on a *nix server:
Would this be the correct stanza to place into my outputs.conf file location?: /opt/spplunkforwarder/etc/system/local
stanza:
[monitor:///var/log/xxxxx/*]
Source: http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Configureforwarderswithoutputs.confd
Hi w0lverineNOP
You configure the monitoring of files in inputs.conf . Outputs.conf defines where the forwarder should send the data it is capturing in inputs.conf.
Does that make sense?
The correct entry in inputs.conf would be something like this:
[monitor:///var/log/access.log]
disabled = false
sourcetype = access_combined
You can also use wildcards with the *
symbol.
Full docs here:
http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/inputsconf
Let me know how you get along.
j
Hi w0lverineNOP
You configure the monitoring of files in inputs.conf . Outputs.conf defines where the forwarder should send the data it is capturing in inputs.conf.
Does that make sense?
The correct entry in inputs.conf would be something like this:
[monitor:///var/log/access.log]
disabled = false
sourcetype = access_combined
You can also use wildcards with the *
symbol.
Full docs here:
http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/inputsconf
Let me know how you get along.
j
Monitoring configurations should be in your inputs conf. ie : /opt/spplunkforwarder/etc/system/local/inputs.conf
See here : http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Editinputs.conf
For wildcard : http://docs.splunk.com/Documentation/Splunk/6.1/Data/Specifyinputpathswithwildcards