WIndows Splunk Forwarder

macwin · ‎10-17-2012

Currently, during the installation of splunk forwarder, at one place it takes input of the directory path or file path of the log file to be indexed. Suppose my log files are in 2 different directories. How can I use both of them for indexing?

Thanks.

sdaniels · ‎10-17-2012

Are you asking how you'd set up your splunk forwarder to monitor multiple files that happen to exist in different directories on the same server? In inputs.conf you would just have two entries like this:

[monitor://C:\somedirectory\anotherone\test.log]
index = myindex
sourcetype = mysourcetype

[monitor://C:\mydirectory\somethingelse\file.log]
index = myindex
sourcetype = mysourcetype

sdaniels · ‎10-17-2012

If you do this through the Splunk UI it will create that inputs.con file for you in \etc\system\local. If you want to do it manually in the config file just create the file yourself add the appropriate settings after looking in our docs and restart splunk on the forwarder.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureyourinputs

macwin · ‎10-17-2012

Thanks. I dont have this entry for the file I am currently indexing, then also I can read it.

WIndows Splunk Forwarder

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!