Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

input.conf first timer

daniel333
Builder
‎12-17-2012 09:18 PM

All,

I just finished day 1 of the administration of Splunk class. Gotta admit to being lost.So I fired up a lab, 3 VMs. splunk01, host01, deploy01 and DC01 (for DNS).

Installed Splunk on Splunk01 and it worked. Enabled the listening on 9997. Installed the forwarders on host01. I can see the host check in when I do a search with index=_internal *splunkforwarder* as we did in the class.

But I made my own little "app". I created a folder under /opt/splunkforwarder/etc/myappname and folder under there called /local

My inputs.conf which I placed in /local reads as follows

[monitor:///var/log/messages]
disabled = 0
index=main

I restarted the forwarder, waited. Nothing ever came through. Any ideas to what I should be checking now?

Tags (1)
0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎12-17-2012 10:47 PM

You have ommitted the apps directory from the path :

/opt/splunkforwarder/etc/apps/myappname/local/inputs.conf

Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!