Getting Data In

input.conf first timer



I just finished day 1 of the administration of Splunk class. Gotta admit to being lost.So I fired up a lab, 3 VMs. splunk01, host01, deploy01 and DC01 (for DNS).

Installed Splunk on Splunk01 and it worked. Enabled the listening on 9997. Installed the forwarders on host01. I can see the host check in when I do a search with index=_internal *splunkforwarder* as we did in the class.

But I made my own little "app". I created a folder under /opt/splunkforwarder/etc/myappname and folder under there called /local

My inputs.conf which I placed in /local reads as follows

disabled = 0

I restarted the forwarder, waited. Nothing ever came through. Any ideas to what I should be checking now?

Tags (1)
0 Karma

Ultra Champion

You have ommitted the apps directory from the path :


Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!