My Splunk Universal Forwarder is not able to read the modification on a file under the path "C:\Program Files (x86)"
My inputs.conf is:
[monitor://C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log]
sourcetype = TeamViewer:Connection:Client
index = teamviewer
disabled = 0
queue = indexQueue
What am I doing wrong? I cannot see anything about this file in splunkd.log.
I was missing props.conf, it is mandatory even if it is empty
@danielearangiomazza If your problem is resolved, please accept the answer to help future readers.
Does the forwarder have read access to the file?
The file is setted r/w for everyone
"Cannot read modification" does it mean that the file has been indexed, just the modification that you can't see on splunk?
The destination index is still empty
ls -ll
teamviewer
index in the indexer?