Getting Data In

new index and sourcetype

neermine
Path Finder

should we modify the props.conf and the transforms.conf when we create a now index and a new sourcetype ?

0 Karma

sudosplunk
Motivator

Hello,

To create new index, you need to modify indexes.conf.
To assign new index and sourcetype to your data, you need to modify inputs.conf.
To configure settings to extract timestamps, fields from your data and to set event boundaries for your data, you need to modify props.conf.
To set parsing rules, you need to modify transforms.conf.

If you can explain more about what you're trying to achieve, we can direct you to correct configuration file(s).

0 Karma

neermine
Path Finder

i'm trying to assign new index and sourcetype to my data .. i did modify inputs.conf but it didn't work i thought may be it's not the only thing that i must do

0 Karma

sudosplunk
Motivator

What part of it did not work? You can't see data in your new index with your new sourcetype? Or the data isn't assigned to right index and sourcetype even after correctly defining your inputs.conf? Can you share your inputs.conf (mask unwanted information). Thanks.

0 Karma

neermine
Path Finder

this is my inputs.conf in splunkuniversalforwarder\etc\system\local
[monitor:/C:\var\log*.log]
disabled=0
sourcetype= log
index =me
i also create a new sourcetype and index with the same names in splunk because they weren't created automaticlly and there is no events in my indexer
thanks.

0 Karma

sudosplunk
Motivator

I am assuming your monitor stanza is [monitor://C:\var\log*.log].
Can you see your input when you run this command splunk list inputstatus?
Try expanding your time range. Search for "All-Time" to see if any data shows up?

Please see that you've checked all the aspects listed here in documentation.

0 Karma

neermine
Path Finder

when i do splunk list inputstatus i find c:\var\log*.log type = missing

0 Karma

sudosplunk
Motivator

This can mean, splunk is trying to monitor your file but the file is missing. Can you navigate to C:\var\ folder and check if there are log files starting with log (because, according to your monitor stanza, splunk will ONLY read files starting with log and ending in .log extension. Also, please check if these log files have any data.

0 Karma

neermine
Path Finder

there are logs files in var\log\splunk (files like splunkd.log , health.log) so i changer the monitor to var\log\splunk\*.log but the type is also missing

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...