I want Splunk to ingest my AV log. I made the following entry in the inputs.conf file:
Note: The log file is a text file with no formatting.
[monitor://C:ProgramData\'Endpoint Security'\logs\OnDemandScan_Activity.log]
disable=0
index=winlogs
sourcetype=WinEventLog:AntiVirus
start_from=0
current_only=0
checkpointInterval = 5
renderXml=false
My question is:
Is the stanza written correctly?
When I do a search I am not seeing anything.
Try removing the quotes from the file path.
Check splunkd.log for errors relating to that input.