Solved: Universal Forwarder folder path monitor

sbattista09 · ‎01-26-2016

What stanza do i set in the Universal Forwarder to send data to the indexers from a folder path?
I want to send output from "/var/log/file.log" to the indexers in a new index called "IndexA".

richgalloway · ‎01-26-2016

Try this:

[monitor:///var/log/file.log]
index = IndexA

---
If this reply helps you, Karma would be appreciated.

View solution in original post

sbattista09 · ‎01-26-2016

they both work. Thank you all!

richgalloway · ‎01-26-2016

Try this:

[monitor:///var/log/file.log]
index = IndexA

---
If this reply helps you, Karma would be appreciated.

skoelpin · ‎01-26-2016

Define your host

host = Your Hostname

[monitor:///var/log/file.log]
disabled = false
sourcetype = Your sourcetype
index = indexA

sbattista09 · ‎01-26-2016

where would i set this in the Universal Forwarder?

skoelpin · ‎01-26-2016

It didn't save correctly, I edited my post and added the index part back into the Stanza.

skoelpin · ‎01-26-2016

If your on a linux box go to
/splunk/etc/system/local vi inputs.conf

If your on Windows then splunk\etc\system\local then open the inputs.conf and add the stanza

Don't forget to restart your Splunk service after making these changes

Universal Forwarder folder path monitor

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation