I have a issue with picking up the keyword from a tail of a text file. Reading through the documention found that there is a suggestion to add 'followTail = 1' to the inputs.conf file.
Now ( i hope i am right) the input.conf that i need to edit is:
unfortunately, this file cannot be edited or saved, as system complains that 'access is denied'.
Then i stopped the splunkd and splunkweb, services, and put them as manual rather than automatic, and restarted the machine. Verified that the services mentioned were not running, but still there seems to be a lock on the file.
I am editing the correct inputs.conf file?
How can i successfully edit the file and add the changes?
You need to check the file permissions in Windows to determine why you are getting an access denied when trying to edit that file.
That said, you shouldn't be editing the inputs.conf file in "default". Best practice for all your own modifications is to create an inputs.conf in "local" instead (so full path would be
"C:\Program Files\Splunk\etc\apps\SplunkLightForwarder\local\inputs.conf"). Any settings in this file will override the ones in "default".
well, i have added the inputs.conf file to the folder that was suggested.
I am now struggling with what condition to put for the alerts. Basically the following are at disposal:
2)if number of events
3)if number of hosts
4)if number of sources
5)if custom condition is met
need to know which one to define, so that the alert is sent out the moment the keyword is there in the new text that was written to in the dynamic text file.
Also i have set the start time as 'rt-60s' and finish time as 'rt'.