Solved: Universal Forwarder folder path monitor

sbattista09 · ‎01-26-2016

What stanza do i set in the Universal Forwarder to send data to the indexers from a folder path?
I want to send output from "/var/log/file.log" to the indexers in a new index called "IndexA".

richgalloway · ‎01-26-2016

Try this:

[monitor:///var/log/file.log]
index = IndexA

---
If this reply helps you, Karma would be appreciated.

View solution in original post

sbattista09 · ‎01-26-2016

they both work. Thank you all!

richgalloway · ‎01-26-2016

Try this:

[monitor:///var/log/file.log]
index = IndexA

---
If this reply helps you, Karma would be appreciated.

skoelpin · ‎01-26-2016

Define your host

host = Your Hostname

[monitor:///var/log/file.log]
disabled = false
sourcetype = Your sourcetype
index = indexA

sbattista09 · ‎01-26-2016

where would i set this in the Universal Forwarder?

skoelpin · ‎01-26-2016

It didn't save correctly, I edited my post and added the index part back into the Stanza.

skoelpin · ‎01-26-2016

If your on a linux box go to
/splunk/etc/system/local vi inputs.conf

If your on Windows then splunk\etc\system\local then open the inputs.conf and add the stanza

Don't forget to restart your Splunk service after making these changes

Universal Forwarder folder path monitor

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor