What stanza do i set in the Universal Forwarder to send data to the indexers from a folder path?
I want to send output from "/var/log/file.log" to the indexers in a new index called "IndexA".
Try this:
[monitor:///var/log/file.log]
index = IndexA
they both work. Thank you all!
Try this:
[monitor:///var/log/file.log]
index = IndexA
Define your host
host = Your Hostname
[monitor:///var/log/file.log]
disabled = false
sourcetype = Your sourcetype
index = indexA
where would i set this in the Universal Forwarder?
It didn't save correctly, I edited my post and added the index part back into the Stanza.
If your on a linux box go to
/splunk/etc/system/local
vi inputs.conf
If your on Windows then splunk\etc\system\local
then open the inputs.conf and add the stanza
Don't forget to restart your Splunk service after making these changes