Re: Universal Forwarder - Add another Log FIle to ...

pgergen · ‎10-23-2011

Hi

I have a Linux Splunk Indexer.

How do I add another log file to be indexed by Splunk to the Universal Forwarder on a Windows Server ?

Many Thanks

Regards
Peta Gergen
peta.gergen@team.telstra.com

lalit_mohan · ‎11-13-2013

Hi Guys,

I have similar problem!!!

I have two instances one is splunk-server and other is splunk-forwarder(universalForwarder).
Everything is fine with configuration ,then I tried to monitor tomcat logs and I have perform below steps on forwarder.

/usr/share/splunk_setup/splunkforwarder/bin/splunk add monitor /usr/share/apache-tomcat-7.0.42/logs/catalina.out -index default -sourcetype log4j -hostname splunkforwarder

But in search tab of splunk-web I always get No results found.

Am I missing something !!!.Please help me out.
Thanks in advance!!

Ayn · ‎10-23-2011

There's a whole manual covering these topics in the docs. This should be a good place to start: http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureyourinputs

Long story short: either use the CLI or add a directive in in an inputs.conf file (for instance in $SPLUNK_HOME/etc/system/local).

CLI: $SPLUNK_HOME/bin/splunk add monitor <logdir>

inputs.conf: [monitor:///<logdir>]

Universal Forwarder - Add another Log FIle to Index

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation