Splunk add monitor not sending log to splunk cloud

aanataliya · ‎07-03-2018

Hi I am newbie. I have installed splunk universal forwarder on windows client to forward log on Splunk Cloud. When I run below command, it executes without any error. But when I check /etc/local/inputs.conf file there is no section of monitor.

/splunk add monitor "D:\SGN" -index qa -sourcetype test_log -host <myip>

Also, If I execute list monitor command then also it shows monitored directory. How do I debug or find out whats wrong.

Note: I am creating AWS EC2 instance by passing UF installation scripts in userdata. in case, if it makes any difference.

gcusello · ‎07-03-2018

Hi aanataliya,
when you say that there isn't any stanza in /etc/local/inputs.conf, are you speaking of
$SPLUNK_HOME\etc\system\local\inputs.conf
or what? you said that Universal Forwarder is running on Windows client.

At the same time, beware to the command , in $SPLUNK_HOME\bin that is

splunk add monitor "D:\SGN" -index qa -sourcetype test_log -host <myip>

without the slash at the beginning (you have to use ./ on Linux).

Anyway, try the following command on Forwarder, in $SPLUNK_HOME\bin:

splunk cmd btool inputs list --debug > my_file_inputs.txt

In this way you can find where was stored the stanza that you configured with your command.

Bye.
Giuseppe

Splunk add monitor not sending log to splunk cloud

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk