Hey guys, I've seen a couple of similar questions to mine but nothing has helped. I have a very simple edit in the inputs.conf of my Universal Forwarder on a Windows Server.
It has in it;
[default]
host = server2003-splu
[fschange:C:\Program Files\]
index = _audit
signedaudit = false
#pollPeriod = 1
#hashMaxSize = 10485760
#fullEvent = true
[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0
Any reason why when i do a search
index=_audit sourcetype=fs_notification host=server2003-splu
it doesn't come back with anything even after adding, changing and deleting files and folders in the Program Files directory?
Thanks for any help you can give me
It works now. Same config, same search nothing changed. It was a stupid mistake after all, the Universal Forwarder was not being restarted properly.
Answer:
Make sure you restart the server properly
C:\Program Files\SplunkUniversalForwarder\bin>splunk.exe restart
It works now. Same config, same search nothing changed. It was a stupid mistake after all, the Universal Forwarder was not being restarted properly.
Answer:
Make sure you restart the server properly
C:\Program Files\SplunkUniversalForwarder\bin>splunk.exe restart
sorry, I didn't mean to sound pushy
Your question was posted only an hour ago. You can't expect people doing this on their spare time to always see and respond to the question immediately...
The sourcetype should be fs_notification
, not fs_notifications
. Also you have a typo in the stanza below (diasbled instead of disabled), though that shouldn't affect the fschange stanza.
Hey, thanks for your answer, but that's a typo on my behalf, any query I use to search does not bring any results (I'll edit the question with the right search parameters though thanks for pointing it out)
No one knows how I can change my file to make it work? I don't mind rewriting it if someone thinks it needs to be changed completely