Recently I have configured a universal forwarder on a Windows 32 bit machine. I can see the Splunk process is running, but when I'm trying to edit inputs.conf, it's giving access denied, even after stopping the services. Later I tried to create one inputs.conf in the local directory, but still I'm getting the same error. File has given all the admin privileges. Can someone please help?
Open the nodepad or any text editor as administrator (run as administrator) and then select the file for editing.
now im able to edit and added windows logs in inputs.conf file,but i see no logs are being forwarded to indexer.and no latest events please help me
Have you confirmed successful forwarding from that forwarder before? Also, I don't recall off the top of my head, but if you modified inputs.conf you may need to restart splunk for the change to become effective. The docs should tell you which changes require a restart.
Just FYI these posts are from Jul 2016! I suspect this might have been worked out by now 🙂