Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using monitor on a Universal Forwarder

nce054
Path Finder
‎06-05-2015 08:59 AM

I'm trying to set up my Universal Forwarder to monitor a local folder. The folder path is H:\MonitorTest , and I have placed multiple text files in there to manipulate and see if the changes are recorded in my Search-Head. However, after putting the following code in $SPLUNK_HOME\etc\system\local\inputs.conf, I still am not seeing any new data on my Search-Head. Am I doing something incorrectly? I know this is a very basic question, as I am new to Splunk. Thanks for any help!

[monitor://C:\..\H:\MonitorTest]
disabled = 0
index = main
Tags (1)
0 Karma
Reply

masonmorales
Influencer
‎06-05-2015 09:15 AM

Looks like you are missing sourcetype. Also, I'm not sure why you have C:\ in there. I think your stanza should be something like:

[monitor://H:\MonitorTest\]
disabled = 0
index = main
sourcetype = test

Then, restart the Splunk forwarder and see if it picks up your test files.

0 Karma
Reply

nce054
Path Finder
‎06-05-2015 09:24 AM

I tried this, and no luck still. I have the index of 'main' enabled on my Search-Head, so I know that's not the issue.

0 Karma
Reply

masonmorales
Influencer
‎06-05-2015 09:40 AM

I am assuming you have two boxes, one with a UF, the other acting as an Indexer+SH. Is that correct?

If so, what happens if you search: 

index=_internal *test*

Does anything show up? Any errors? If not, you may want to check network connectivity between the UF and Indexer/SH. You can do that using the telnet command, or by searching for TcpOutput in splunkd.log on the UF.

If you can post your outputs.conf that might be helpful too.

0 Karma
Reply

nce054
Path Finder
‎06-05-2015 10:53 AM

Yes, I have one UF, two Indexers, and one Search-Head, all dedicated instances. I know they are linked up correctly because I am already receiving Windows Event log entries, such as System, Security, and Application.

0 Karma
Reply

masonmorales
Influencer
‎06-05-2015 10:57 AM

I think we need a diag from your UF to troubleshoot this further. If you can send me an e-mail (click my username to see it), I'll send you a login for my FTP server and we'll go from there.

0 Karma
Reply

nce054
Path Finder
‎06-05-2015 11:01 AM

I actually can't see it, all I see is your LinkedIn account, among other things.

0 Karma
Reply

masonmorales
Influencer
‎06-05-2015 11:05 AM

Sorry, refresh it. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...