Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

location of configuration for inputs set up with installer windows based forwarder

dominiquevocat
SplunkTrust
SplunkTrust
‎12-30-2013 09:44 AM

We have set up universal forwarders on Windows. During the setup one can specify to monitor a specific folder and not much more.

The folder and files under it are listed by running
splunk list monitor
however i would like to specify the target index, sourcetype and also perform some regex on the filename to set some properties.

I have had a look at every inputs.conf on the machine and fail to see the "[monitor:" stanza that tails this path.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dominiquevocat
SplunkTrust
SplunkTrust
‎01-07-2014 08:24 AM

I did overlook $SPLUNK_HOME\etc\apps\MSICreated\inputs.conf as per aholzer ( http://answers.splunk.com/users/142151/aholzer )

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dominiquevocat
SplunkTrust
SplunkTrust
‎01-07-2014 08:24 AM

I did overlook $SPLUNK_HOME\etc\apps\MSICreated\inputs.conf as per aholzer ( http://answers.splunk.com/users/142151/aholzer )

0 Karma
Reply
Solved! Jump to solution

dominiquevocat
SplunkTrust
SplunkTrust
‎01-03-2014 01:42 AM

indeed, it was in the (somehow overlooked) \MSICreated 😕 thanks!

0 Karma
Reply
Solved! Jump to solution

jtrucks
Splunk Employee
Splunk Employee
‎01-02-2014 12:52 PM

Install the Splunk on Splunk app and go to Data Inputs -> File Monitor Inputs to see where this is likely configured and how it is set up. Also, search the entire Splunk Forwarder for any file named inputs.conf and then be sure to look in every one of those files. It might not be written into the file in the exact way you expect, so you may have to search for a subset of our file path, say just one directory in the path, to find it - or just look manually as there aren't that many places to look.

--
Jesse Trucks
Minister of Magic
Reply
Solved! Jump to solution

dominiquevocat
SplunkTrust
SplunkTrust
‎01-03-2014 01:43 AM

thanks for the heads up, i will have to check what firewall rules are needed in order to see the forwarder - i only see the main indexer in S.o.S. etc. but thanks.

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎12-30-2013 12:39 PM

I find it highly unlikely that you searched ALL inputs.conf on the host. If these events are being generated from that host, then an inputs.conf must exist, the only question is where

If you set up the monitoring via the .msi it's probably under $SPLUNK_HOME\etc\apps\MSICreated\ either in local or default. On the bright side you can simply create an inputs.conf inside of $SPLUNK_HOME\etc\system\local and override the inputs.conf without having to find it. I wouldn't suggest this, because you now have to maintain this file rather than a file inside an app. You can do this as a last resort

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...