To create new index, you need to modify indexes.conf.
To assign new index and sourcetype to your data, you need to modify inputs.conf.
To configure settings to extract timestamps, fields from your data and to set event boundaries for your data, you need to modify props.conf.
To set parsing rules, you need to modify transforms.conf.
If you can explain more about what you're trying to achieve, we can direct you to correct configuration file(s).
What part of it did not work? You can't see data in your new index with your new sourcetype? Or the data isn't assigned to right index and sourcetype even after correctly defining your inputs.conf? Can you share your inputs.conf (mask unwanted information). Thanks.
this is my inputs.conf in splunkuniversalforwarder\etc\system\local
i also create a new sourcetype and index with the same names in splunk because they weren't created automaticlly and there is no events in my indexer
I am assuming your monitor stanza is
Can you see your input when you run this command
splunk list inputstatus?
Try expanding your time range. Search for "All-Time" to see if any data shows up?
Please see that you've checked all the aspects listed here in documentation.
This can mean, splunk is trying to monitor your file but the file is missing. Can you navigate to
C:\var\ folder and check if there are log files starting with
log (because, according to your monitor stanza, splunk will ONLY read files starting with
log and ending in
.log extension. Also, please check if these log files have any data.