So I have a seperate folder that was prebuilt from splunk universal forwarder.
The folder path is :
/opt/splunkforwarder/etc/apps/"MY folders HERE"
one of the folders under /apps IS sending
the other folder is not and all it has is a path of
/apps/NOT SENDING FOLDER/local/input.conf
inside inputs.conf I have
disabled = 0
this is not monitoring the folder and NO logs are going into splunk
however in the correct folder that is sending i have
sourcetype = seclog
index = sec
disabled = 0
I also have the following folders in the correct logs that i do not have in the no working log
default local metadata README.md static
was wondering if anyone can point me in the direction to help me figure out why one folder is sending but the other isnt.
I don't think it's something to do with apps. Configurations looks correct. Check user running splunk process has read permissions to log files in directory /var/log/router/.
If user has read permissions then check for any errors in splunkd logs in /opt/splunkforwarder/var/log/splunk/.
Is root running splunk process? Check splunkd logs /opt/splunkforwarder/var/log/splunk/splunkd.logs and also check if index "net" is created on indexer servers.
So i fixed this issue but investigating the errors in splunkd logs like manjuanthemeti said above.
This was resolved by finding out what the issue was and removing empty log files in the directory.