Getting Data In

Universal Forwarder

akankshayadav
Path Finder

I have to forward my data from my machine to serval using universal forwarder. What should be the content of inputs.conf?

Labels (1)
0 Karma

venkatasri
Influencer

Hi@akankshayadav 

## This is for linux, windows is slightly different
[monitor:<absolute_file_path>]
sourcetype = <sourcetype_name>
index = <index_name>

#Example
[monitor:///var/log/httpd]
sourcetype = access_common
index = main

You can find more examples here - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#inputs.conf.example

---

An upvote would be appreciated and Accept solution if this reply helps!

Tags (2)

akankshayadav
Path Finder

I am giving this config in inputs.conf but can't see my data forwarded to the server

0 Karma

venkatasri
Influencer

@akankshayadav Can you share what have you configured where did you deploy it?

Do you know the index that you are using already created in Splunk?

The file you want to monitor having enough read permissions and having contents in it?

 

0 Karma

akankshayadav
Path Finder

In my inputs.conf

[monitor://C:\Users\Lenovo\Documents\............\*.csv]
disabled = 0
index = index_fptsinv
sourcetype = csv

My ip is 192.168.29.117

I have to send to server with ip 139.23.76.80

Can u also tell me which Ip i've to provide in Deployement server and which in Receiver index?

0 Karma

venkatasri
Influencer

@akankshayadav  Can you follow this thread - Props.conf settings are not working - Splunk Community which is similar to what you are trying to achieve. You need to set-up other .conf files like outputs.conf (must).. props.conf (optional) etc.

---

Hope this reply helps!

0 Karma

akankshayadav
Path Finder

NO. This isn't my requirement . In my case , data is not received.
However, can you help with this

My ip is 192.168.29.117

I have to send to server with ip 139.23.76.80

Can u also tell me which Ip i've to provide in Deployement server and which in Receiver index?

0 Karma

venkatasri
Influencer

Hi @akankshayadav 

If you are using forward management using Deployment server (DS) then 'My ip is 192.168.29.117'  shall be added to serverclass.conf in DS (this step is optional if you have configured inputs.conf directly on UF). 139.23.76.80 should have been your intermediate forwarder/indexer IP shall be in outputs.conf on UF where you have configured inputs.conf.

When you complete the above set-up and could not find the logs, then there could be many other reasons for not ingesting data to Splunk, check the splunkd.log of UF or you can query same in _internal index. 

---

An upvote would be appreciated if this reply help you!

0 Karma

venkatasri
Influencer

@akankshayadav  Provided were  least minimum config, however there are additional settings to be added depends on use case. Have a look at the link provided and read of splunk docs for detailed understanding.

---

An upvote would be appreciated and Accept solution if this reply helps!

0 Karma