Getting Data In

Why is our Splunk Universal Forwarder not able to read the modification on a file under the path "C:\Program Files (x86)"?

My Splunk Universal Forwarder is not able to read the modification on a file under the path "C:\Program Files (x86)"

My inputs.conf is:

[monitor://C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log]
sourcetype = TeamViewer:Connection:Client
index = teamviewer
disabled = 0
queue = indexQueue

What am I doing wrong? I cannot see anything about this file in splunkd.log.

0 Karma
1 Solution

I was missing props.conf, it is mandatory even if it is empty

View solution in original post

0 Karma

I was missing props.conf, it is mandatory even if it is empty

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@danielearangiomazza If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

Does the forwarder have read access to the file?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

The file is setted r/w for everyone

0 Karma

Communicator

"Cannot read modification" does it mean that the file has been indexed, just the modification that you can't see on splunk?

0 Karma

The destination index is still empty

0 Karma

Communicator
  1. As @richgalloway mentioned, do you have read access to this file, check the permissions by executing ls -ll
  2. Are the splunkd services running?
  3. Did you create the teamviewer index in the indexer?
  4. if you added that monitoring stanza manually in the inputs.conf, did you restart your universal forwarder after that?
  5. Does your sourcetype exist in the indexer?
  6. Retry without the queue = indexQueue?
0 Karma