however in step 7:
/opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%
Where /path/to/app/logs/ is the path to application logs on the host that you want to bring into Splunk, and %app% is the name you want to associate with that type of data
This will create a file: inputs.conf in /opt/splunk/etc/apps/search/local/ -- here is some documentation on inputs.conf:
Note: System logs in /var/log/ are covered in the configuration part of Step 7. If you have application logs in /var/log/*/
I didn't find inputs.conf in /opt/splunk/etc/apps/search/local
and the data can't be found in the indexer.
here to help again 😉
you have to create any files in
local directory yourself. This is were you store your conf files, so they will never be overwritten by any future Splunk software updates.
I'm suspicious about where step 7 should be executed. my indexer is in host A , data is in host B, shouldn't the command of ‘add monitor’be executed in A??
Besides, I have create a empty config file in the destination folder but still no data is written in it.
you run the command 'add monitor' on the server where your data is, so in your case on host B. regarding the inputs.conf, forget about it and use the 'add monitor' command at first try. This will handle it for you and you will get some data to start.....