should we modify the props.conf and the transforms.conf when we create a now index and a new sourcetype ?
Hello,
To create new index, you need to modify indexes.conf.
To assign new index and sourcetype to your data, you need to modify inputs.conf.
To configure settings to extract timestamps, fields from your data and to set event boundaries for your data, you need to modify props.conf.
To set parsing rules, you need to modify transforms.conf.
If you can explain more about what you're trying to achieve, we can direct you to correct configuration file(s).
i'm trying to assign new index and sourcetype to my data .. i did modify inputs.conf but it didn't work i thought may be it's not the only thing that i must do
What part of it did not work? You can't see data in your new index with your new sourcetype? Or the data isn't assigned to right index and sourcetype even after correctly defining your inputs.conf? Can you share your inputs.conf (mask unwanted information). Thanks.
this is my inputs.conf in splunkuniversalforwarder\etc\system\local
[monitor:/C:\var\log*.log]
disabled=0
sourcetype= log
index =me
i also create a new sourcetype and index with the same names in splunk because they weren't created automaticlly and there is no events in my indexer
thanks.
I am assuming your monitor stanza is [monitor://C:\var\log*.log]
.
Can you see your input when you run this command splunk list inputstatus
?
Try expanding your time range. Search for "All-Time" to see if any data shows up?
Please see that you've checked all the aspects listed here in documentation.
when i do splunk list inputstatus i find c:\var\log*.log type = missing
This can mean, splunk is trying to monitor your file but the file is missing. Can you navigate to C:\var\
folder and check if there are log files starting with log
(because, according to your monitor stanza, splunk will ONLY read files starting with log
and ending in .log
extension. Also, please check if these log files have any data.
there are logs files in var\log\splunk (files like splunkd.log , health.log) so i changer the monitor to var\log\splunk\*.log but the type is also missing