Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Universal Forwarder folder path monitor

sbattista09
Contributor
‎01-26-2016 07:54 AM

What stanza do i set in the Universal Forwarder to send data to the indexers from a folder path?
I want to send output from "/var/log/file.log" to the indexers in a new index called "IndexA".

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-26-2016 08:04 AM

Try this:

[monitor:///var/log/file.log]
index = IndexA
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

sbattista09
Contributor
‎01-26-2016 09:29 AM

they both work. Thank you all!

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-26-2016 08:04 AM

Try this:

[monitor:///var/log/file.log]
index = IndexA
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-26-2016 08:00 AM

Define your host 

host = Your Hostname

[monitor:///var/log/file.log]
disabled = false
sourcetype = Your sourcetype
index = indexA
Reply
Solved! Jump to solution

sbattista09
Contributor
‎01-26-2016 08:04 AM

where would i set this in the Universal Forwarder?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-26-2016 08:05 AM

It didn't save correctly, I edited my post and added the index part back into the Stanza.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-26-2016 08:11 AM

If your on a linux box go to
/splunk/etc/system/local vi inputs.conf

If your on Windows then splunk\etc\system\local then open the inputs.conf and add the stanza

Don't forget to restart your Splunk service after making these changes

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...