Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder and folder monitoring

gdavid
Path Finder
‎06-29-2012 09:04 AM

I installed a universal forwarder on my workstation to test monitoring some server directories for changes.
during the install i selected monitored c:\mytestfolder
i see events coming into my index but i can't find which inputs.conf file on my workstation it's specified in.

also for some reason the events come in like this.
WARN FileClassifierManager - The file 'C:\MyTestFolder\Tulips.jpg' is invalid. Reason: binary
INFO TailingProcessor - Ignoring file 'C:\MyTestFolder\Tulips.jpg' due to: binary

Tags (1)
0 Karma
Reply

gdavid
Path Finder
‎06-29-2012 01:05 PM

finally found it. it seems that settings that come in during the install are located in
C:/Program Files/SplunkUniversalForwarder/etc/apps/MSICreated/local

0 Karma
Reply

gdavid
Path Finder
‎06-29-2012 12:55 PM

no local folder under [etc/apps/search/]
the default folder has an empty inputs.conf

i may be using the wrong monitor. i want to see file/directory changes, not parse the files.
but until i can find where monitor is specified i cant change it.

0 Karma
Reply

Kate_Lawrence-G
Contributor
‎06-29-2012 12:52 PM

I believe in the windows version the inputs.conf is located under the etc/apps/search/local directory.
You also should probably exclude the JPG files in that inputs.conf file as it is binary and will throw that type of message in the splunkd.log (/var/log/splunk/splunkd.log)

Thanks,

Kate

Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...