Getting Data In

input.conf first timer



I just finished day 1 of the administration of Splunk class. Gotta admit to being lost.So I fired up a lab, 3 VMs. splunk01, host01, deploy01 and DC01 (for DNS).

Installed Splunk on Splunk01 and it worked. Enabled the listening on 9997. Installed the forwarders on host01. I can see the host check in when I do a search with index=_internal *splunkforwarder* as we did in the class.

But I made my own little "app". I created a folder under /opt/splunkforwarder/etc/myappname and folder under there called /local

My inputs.conf which I placed in /local reads as follows

disabled = 0

I restarted the forwarder, waited. Nothing ever came through. Any ideas to what I should be checking now?

Tags (1)
0 Karma

Ultra Champion

You have ommitted the apps directory from the path :


Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.