I have following input.conf in an app on my deployment server
[Monitor://%product_home%\logs\stdout.log] disabled=0 followtail=0 sourcetype=product_stdout index=product_logs
The app deploys to the target server fine, and i also have a forwarding app which also deploys fine (I am also monitoring windows event logs, and these appear in the index no problem, so I know both this and the forwarding app work correctly)
However, my stdout.log doesn't seem to be making it into the product_logs index (the index does exist)
I have seen mention of accessing
on the target server, but I get prompted with a login box with no idea what credentials to enter in. likewise if i run the equivalent request from the command line, i get prompted to enter a username and password. after it fails i get a 401 unauthorized error.
I have tried various combinations ...
[Monitor://$product_home\logs\stdout.log] [Monitor://c:\really long path\in here\logs\stdout.log] [Monitor://%product_home%\logs\stdout.log]
To no avail.
stdout.log does exist and has content, there are no special permissions on the file and the Splunk agent is running as local system
%PRODUCT_HOME% is defined on the target server as a system environment variable, and is in use by other programs, so I know the path is valid.
The splunkd.log doesn't appear to have anything useful to tell me other than the app deployed ok.
I am sure this must be something incredibly simple that I am missing, but I can't see it for the conf.