Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how to add data using forwarder in linux

windyita
New Member
‎02-12-2014 12:48 AM

I have read this Q&A
http://answers.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux

however in step 7:
/opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%
Where /path/to/app/logs/ is the path to application logs on the host that you want to bring into Splunk, and %app% is the name you want to associate with that type of data
This will create a file: inputs.conf in /opt/splunk/etc/apps/search/local/ -- here is some documentation on inputs.conf:
http://docs.splunk.com/Documentation/Splunk/4.3.2/admin/Inputsconf
Note: System logs in /var/log/ are covered in the configuration part of Step 7. If you have application logs in /var/log/*/

I didn't find inputs.conf in /opt/splunk/etc/apps/search/local
and the data can't be found in the indexer.
What's wrong????

Tags (2)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎02-12-2014 12:55 AM

Hi windyita,

here to help again 😉

you have to create any files in local directory yourself. This is were you store your conf files, so they will never be overwritten by any future Splunk software updates.

cheers, MuS

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎02-12-2014 01:30 AM

you run the command 'add monitor' on the server where your data is, so in your case on host B. regarding the inputs.conf, forget about it and use the 'add monitor' command at first try. This will handle it for you and you will get some data to start.....

0 Karma
Reply

windyita
New Member
‎02-12-2014 01:14 AM

I'm suspicious about where step 7 should be executed. my indexer is in host A , data is in host B, shouldn't the command of ‘add monitor’be executed in A??
Besides, I have create a empty config file in the destination folder but still no data is written in it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...