- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Manual Inputs, what location are they kept?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not new to Splunk, but new to 4.2.2.
I had setup a forwarder and manually entered specific paths to monitor:
/p01/foo/bar/logs/server.log
/p02/foo/bar/logs/server.log
went to on to p50.
I just wanted to get Splunk 'working'.
I looked in the local/inputs.conf but the information was not there. So where is it kept?
I have to ask because I removed the above, edited ../local/inputs.conf and added:
[monitor:/p*/foo/bar/logs]
index = default
ignoreOlderThan = 3d
As I wanted to index all the logs within the 'logs' dir.
Now it appears the forwarder is not sending OR the indexer is no longer indexing. I am guessing the original configuration is kept someplace and messing up my ../local/inputs.conf
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
$ find . -name inputs.conf -print
./splunk/etc/system/default/inputs.conf
./splunk/etc/system/local/inputs.conf
./splunk/etc/apps/launcher/local/inputs.conf
./splunk/etc/apps/SplunkLightForwarder/default/inputs.conf
./splunk/etc/apps/SplunkDeploymentMonitor/local/inputs.conf
./splunk/etc/apps/sample_app/default/inputs.conf
./splunk/etc/apps/unix/default/inputs.conf
./splunk/etc/apps/unix/local/inputs.conf
./splunk/etc/modules/distributedDeployment/classes/deployable/inputs.conf
The file I was looking for is in ../launcher/local/inputs.conf
I still have an issue with the indexing not working, but since this was my original question, I will mark it answered.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
$ find . -name inputs.conf -print
./splunk/etc/system/default/inputs.conf
./splunk/etc/system/local/inputs.conf
./splunk/etc/apps/launcher/local/inputs.conf
./splunk/etc/apps/SplunkLightForwarder/default/inputs.conf
./splunk/etc/apps/SplunkDeploymentMonitor/local/inputs.conf
./splunk/etc/apps/sample_app/default/inputs.conf
./splunk/etc/apps/unix/default/inputs.conf
./splunk/etc/apps/unix/local/inputs.conf
./splunk/etc/modules/distributedDeployment/classes/deployable/inputs.conf
The file I was looking for is in ../launcher/local/inputs.conf
I still have an issue with the indexing not working, but since this was my original question, I will mark it answered.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hm, and the monitor command takes a few more slashes (assuming that this is your actual conf)
Suggest you try
[monitor://
and remember that the path might start with an additional slash...
Hope this helps.
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kristian,
Yep, I tried the '///' in front as well.. no joy.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi z
how did you entered the paths to monitor? if it was over the 'webUI / Manager' it will propably end up in etc/apps/search/local.
and keep reading
regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS, just wanted to followup. I have another forwarder which I also setup manually via the Manager UI ... The etc/app/search/local dir does not exist...
So still looking for where these are kept.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS,
I checked the path... the inputs.conf there is empty, which is correct since I removed all the entries I made.
I had reviewed that document you provided before... maybe I have to re-re-read...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the original inputs were via the webUI/Manager...
I will check out the path, thanks!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
