Getting Data In
Highlighted

Universal Forwarder Syntax for Inputs.conf

New Member

Hi,

I am new to Splunk and have just configured a universal forwarder on a remote windows server in order to forward all log files under a specified folder to the receiver

However I am not able to see the logs being piped to the receiver.

My settings for "inputs.conf" as follows:

[Monitor://\\program files\syslogd\logs] 

 Disable=0

Any help is appreciated

Thank you

0 Karma
Highlighted

Re: Universal Forwarder Syntax for Inputs.conf

Motivator

I am not sure if it's typo in your post but the syntax should be:

[monitor://c:\program files\syslogd\logs]
disabled=false

View solution in original post

Highlighted

Re: Universal Forwarder Syntax for Inputs.conf

New Member

Thank you so much. It worked perfect with your advised syntax

0 Karma
Highlighted

Re: Universal Forwarder Syntax for Inputs.conf

Motivator

you welcome! then accept the answer for others looking at same issue,thanks!

0 Karma
Highlighted

Re: Universal Forwarder Syntax for Inputs.conf

New Member

how do i accept the answer ?

0 Karma
Highlighted

Re: Universal Forwarder Syntax for Inputs.conf

Motivator

on the left side of the answer and below the answer (before comments)

0 Karma
Highlighted

Re: Universal Forwarder Syntax for Inputs.conf

Ultra Champion

Make sure your outputs.conf is correctly configured, as well.

/k

0 Karma
Highlighted

Re: Universal Forwarder Syntax for Inputs.conf

Explorer

Splunk.com
Documentation
Splunkbase
Answers
Wiki
Blogs
Developers

Sign UpLogin FAQ

HomeAnswersAppsuserstagsbadgesask a questionupload an app

Universal Forwarder Syntax for Inputs.conf

0

Hi, I am new to Splunk and have just configured a universal forwarder on a remote windows server in order to forward all log files under a specified folder to the receiver However I am not able to see the logs being piped to the receiver. My settings for "inputs.conf" as follows: [Monitor://\program files\syslogd\logs]

Disable=0
Any help is appreciated Thank you
inputsconf

asked 02 May '12, 23:22

fongkh76
11
accept rate:0%

edited 02 May '12, 23:40

Ayn
24.7k●3●7●17

Make sure your outputs.conf is correctly configured, as well. /k
(03 May '12, 01:08)kristian.kolb


One Answer:

oldestnewestmost voted

0

I am not sure if it's typo in your post but the syntax should be: [monitor://c:\program files\syslogd\logs]
disabled=false

link

answered 02 May '12, 23:34

MarioM
2.7k●4●7
accept rate:20%

Thank you so much. It worked perfect with your advised syntax
(03 May '12, 01:47)fongkh76

you welcome! then accept the answer for others looking at same issue,thanks!
(03 May '12, 02:01)MarioM

how do i accept the answer ?
(03 May '12, 02:13)fongkh76

on the left side of the answer and below the answer (before comments)
(03 May '12, 02:52)MarioM

Post your answer

Same problem; logs not being forwarded from a Windows server to pair of indexers. See configs below. A restart of a service "InterraBaton" on the monitored server does not show up on the Splunk via the search head but does show up in the logs on the IB server. Any ideas would b appreciated.

inputs.conf

[default]
index = default
rcvbuf = 1572864
host = DDCIBVERMGR02
evt
resolveadobj = 0
evtdcname=
evtdnsname=

.
.
.

[monitor://C:\batonSites\VerificationManager\log] <<< log 1
disabled = 1
[monitor://C:\batonSites\Workers\log] <<< log 2
disabled = 1

outputs.conf

[tcpout]
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
indexAndForward = false
autoLBFrequency = 30
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
forceTimebasedAutoLB = false
sendCookedData = true
connectionTimeout = 20
readTimeout = 300
writeTimeout = 300
useACK = true

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = XXX.YYY.138.158:9997,XXX.YYY.138.159:9997

[tcpout-server://XXX.YYY.138.158:9997]

[hide preview]

1324 characters / 164 words

Same problem; logs not being forwarded from a Windows server to pair of indexers. See configs below. A restart of a service "InterraBaton" on the monitored server does not show up on the Splunk via the search head but does show up in the logs on the IB server. Any ideas would b appreciated.

inputs.conf

[default] index = default rcvbuf = 1572864 host = DDCIBVERMGR02 evtresolveadobj = 0 evtdcname= evtdnsname=

. . .

[monitor://C:\batonSites\VerificationManager\log] <<< log 1 disabled = 1 [monitor://C:\batonSites\Workers\log] <<< log 2 disabled = 1

outputs.conf

[tcpout] maxQueueSize = 500KB forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = _audit forwardedindex.filter.disable = false indexAndForward = false autoLBFrequency = 30 blockOnCloning = true compressed = false disabled = false dropClonedEventsOnQueueFull = 5 dropEventsOnQueueFull = -1 heartbeatFrequency = 30 maxFailuresPerInterval = 2 secsInFailureInterval = 1 maxConnectionsPerIndexer = 2 forceTimebasedAutoLB = false sendCookedData = true connectionTimeout = 20 readTimeout = 300 writeTimeout = 300 useACK = true

defaultGroup = default-autolb-group

[tcpout:default-autolb-group] server = XXX.YYY.138.158:9997,XXX.YYY.138.159:9997

[tcpout-server://XXX.YYY.138.158:9997]

Privacy & Terms

0
inShare.

Follow this question
Email:
Log In to enable email subscriptions
RSS:
Answers

Answers + Comments







Tags:

inputs
conf

Asked: 02 May '12, 23:22

Seen: 799 times

Last updated: 03 May '12, 02:52

Related questions

Multiple index locations for forwarder

Universal Forwarder

Are "_meta"-entries still supported in inputs.conf?

syntax for scripted input in inputs.conf

How can I merge _meta from several inputs.conf files

List of valid [perfmon://] stanzas for inputs.conf

Splunk Universal forwarder inputs.conf

How to monitor assembly folder in windows ?

universal forwarder scripts linux

Privacy Policy | Terms of Use | Support

Copyright © 2005-2012 Splunk Inc. All rights reserved.

0 Karma
Highlighted

Re: Universal Forwarder Syntax for Inputs.conf

Explorer

Correction, inputs.conf has this:

[monitor://C:batonSites\VerificationManager\log]
disabled = 1
[monitor://C:batonSites\Workers\log]
disabled = 1

0 Karma