Getting Data In

Splunk Forwarding and Receiving

New Member

Hi,

I would like to monitor my other computer under one log file by using the forwarding and receiving. I've already use the splunk web to configure all my forwarding and receiving. The output I want is when the log file in my laptop is being updated with something new it would also update the log file in my desktop. But somehow, it didn't work out. I hope to solve this as soon as possible so I really need the help from you guys.

The input.conf has nothing except my host name.

And my output is this:

[tcpout]

defaultGroup = xxx.xx.xxx.xxx_9997

disabled = false

indexAndForward = 1

[tcpout:xxx.xx.xxx.xxx_9997]

autoLB = true

server = xxx.xx.xxx.xxx:9997

Those x is referring to my desktop IP address.

Thanks.

0 Karma

Splunk Employee
Splunk Employee

I am not sure I understand what your expectation is here. Are you saying that you expect a particular log file to be updated with the same information as another logfile where you have a forwarder installed? If so, Splunk isn't going to do that.

What Splunk can do is to connect make connections from the forwarder to the indexer and allow you to see when files are being changed. In order to do this, you'd need to set up fschange on the file where you'd like to see changes. Could you elaborate on how your file inputs are configured?

You'd want to set this up on your forwarder, instructions can be found here:

http://www.splunk.com/base/Documentation/4.2.1/Data/Monitorchangestoyourfilesystem

New Member

Okay ! I will try it out. Thanks for the solution (: I will get back to you if it works. Thanks (:

0 Karma

Splunk Employee
Splunk Employee

The forwarder can monitor whatever you'd like it to monitor, but the thing is that it can only monitor what it can see. You need some method of getting data from the locations where they were created into the location that the forwarder is monitoring. Otherwise, you'd have to install a forwarder on your laptop and the desktop, then set up a data input to monitor the file.

0 Karma

New Member

Erm. What I meant is it possible like Am i able to monitor other computer within one log files. Meaning my log file will monitor both my lappy ip address and desktop ip address. Is it possible if I use it with forwarder.

0 Karma

Splunk Employee
Splunk Employee

One way or another, the forwarder has to be able to see the data you want it to eat. If that is via a mount point or some other shared mechanism that allows the forwarder access to read the files, then the Forwarder will eat that data and send it over to the indexer.

Keep in mind, Splunk should be able to sustain 800-1000 IOPS. Things like NFS may not function well if you've got a lot of data Splunk needs to ingest. If you are only monitoring a few files, this may not be as much of a concern.

0 Karma

New Member

Erm. Is it possible that I could monitor other computers using the forwarder ?

0 Karma