how to add data using forwarder in linux

windyita · ‎02-12-2014

I have read this Q&A
http://answers.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux

however in step 7:
/opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%
Where /path/to/app/logs/ is the path to application logs on the host that you want to bring into Splunk, and %app% is the name you want to associate with that type of data
This will create a file: inputs.conf in /opt/splunk/etc/apps/search/local/ -- here is some documentation on inputs.conf:
http://docs.splunk.com/Documentation/Splunk/4.3.2/admin/Inputsconf
Note: System logs in /var/log/ are covered in the configuration part of Step 7. If you have application logs in /var/log/*/

I didn't find inputs.conf in /opt/splunk/etc/apps/search/local
and the data can't be found in the indexer.
What's wrong????

MuS · ‎02-12-2014

Hi windyita,

here to help again 😉

you have to create any files in local directory yourself. This is were you store your conf files, so they will never be overwritten by any future Splunk software updates.

cheers, MuS

windyita · ‎02-12-2014

I'm suspicious about where step 7 should be executed. my indexer is in host A , data is in host B, shouldn't the command of ‘add monitor’be executed in A??
Besides, I have create a empty config file in the destination folder but still no data is written in it.

MuS · ‎02-12-2014

you run the command 'add monitor' on the server where your data is, so in your case on host B. regarding the inputs.conf, forget about it and use the 'add monitor' command at first try. This will handle it for you and you will get some data to start.....

how to add data using forwarder in linux

Re: how to add data using forwarder in linux

Re: how to add data using forwarder in linux

Re: how to add data using forwarder in linux