Splunk add monitor not sending log to splunk cloud

aanataliya · ‎07-03-2018

Hi I am newbie. I have installed splunk universal forwarder on windows client to forward log on Splunk Cloud. When I run below command, it executes without any error. But when I check /etc/local/inputs.conf file there is no section of monitor.

/splunk add monitor "D:\SGN" -index qa -sourcetype test_log -host <myip>

Also, If I execute list monitor command then also it shows monitored directory. How do I debug or find out whats wrong.

Note: I am creating AWS EC2 instance by passing UF installation scripts in userdata. in case, if it makes any difference.

gcusello · ‎07-03-2018

Hi aanataliya,
when you say that there isn't any stanza in /etc/local/inputs.conf, are you speaking of
$SPLUNK_HOME\etc\system\local\inputs.conf
or what? you said that Universal Forwarder is running on Windows client.

At the same time, beware to the command , in $SPLUNK_HOME\bin that is

splunk add monitor "D:\SGN" -index qa -sourcetype test_log -host <myip>

without the slash at the beginning (you have to use ./ on Linux).

Anyway, try the following command on Forwarder, in $SPLUNK_HOME\bin:

splunk cmd btool inputs list --debug > my_file_inputs.txt

In this way you can find where was stored the stanza that you configured with your command.

Bye.
Giuseppe

Splunk add monitor not sending log to splunk cloud

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update