Solved: Manual Inputs, what location are they kept?

_z_ · ‎07-13-2011

Not new to Splunk, but new to 4.2.2.
I had setup a forwarder and manually entered specific paths to monitor:

/p01/foo/bar/logs/server.log
/p02/foo/bar/logs/server.log
went to on to p50.

I just wanted to get Splunk 'working'.
I looked in the local/inputs.conf but the information was not there. So where is it kept?

I have to ask because I removed the above, edited ../local/inputs.conf and added:

[monitor:/p*/foo/bar/logs]
index = default
ignoreOlderThan = 3d

As I wanted to index all the logs within the 'logs' dir.

Now it appears the forwarder is not sending OR the indexer is no longer indexing. I am guessing the original configuration is kept someplace and messing up my ../local/inputs.conf

Any ideas?

_z_ · ‎07-14-2011

$ find . -name inputs.conf -print
./splunk/etc/system/default/inputs.conf
./splunk/etc/system/local/inputs.conf
./splunk/etc/apps/launcher/local/inputs.conf
./splunk/etc/apps/SplunkLightForwarder/default/inputs.conf
./splunk/etc/apps/SplunkDeploymentMonitor/local/inputs.conf
./splunk/etc/apps/sample_app/default/inputs.conf
./splunk/etc/apps/unix/default/inputs.conf
./splunk/etc/apps/unix/local/inputs.conf
./splunk/etc/modules/distributedDeployment/classes/deployable/inputs.conf

The file I was looking for is in ../launcher/local/inputs.conf

I still have an issue with the indexing not working, but since this was my original question, I will mark it answered.

View solution in original post

_z_ · ‎07-14-2011

$ find . -name inputs.conf -print
./splunk/etc/system/default/inputs.conf
./splunk/etc/system/local/inputs.conf
./splunk/etc/apps/launcher/local/inputs.conf
./splunk/etc/apps/SplunkLightForwarder/default/inputs.conf
./splunk/etc/apps/SplunkDeploymentMonitor/local/inputs.conf
./splunk/etc/apps/sample_app/default/inputs.conf
./splunk/etc/apps/unix/default/inputs.conf
./splunk/etc/apps/unix/local/inputs.conf
./splunk/etc/modules/distributedDeployment/classes/deployable/inputs.conf

The file I was looking for is in ../launcher/local/inputs.conf

I still have an issue with the indexing not working, but since this was my original question, I will mark it answered.

kristian_kolb · ‎07-14-2011

Hm, and the monitor command takes a few more slashes (assuming that this is your actual conf)

Suggest you try

[monitor://]

and remember that the path might start with an additional slash...

Hope this helps.

/Kristian

_z_ · ‎07-14-2011

Kristian,

Yep, I tried the '///' in front as well.. no joy.

Thanks!

MuS · ‎07-13-2011

Hi z

how did you entered the paths to monitor? if it was over the 'webUI / Manager' it will propably end up in etc/apps/search/local.

and keep reading

Configure your inputs

regards

_z_ · ‎07-14-2011

MuS, just wanted to followup. I have another forwarder which I also setup manually via the Manager UI ... The etc/app/search/local dir does not exist...

So still looking for where these are kept.

_z_ · ‎07-14-2011

MuS,
I checked the path... the inputs.conf there is empty, which is correct since I removed all the entries I made.

I had reviewed that document you provided before... maybe I have to re-re-read...

_z_ · ‎07-14-2011

Yes, the original inputs were via the webUI/Manager...

I will check out the path, thanks!

Manual Inputs, what location are they kept?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation