Some things need to be considered: - What kind of OS is runing in the host where the logs are located? - Is there already data being sent from that device(s) to Splunk? - Which version of Splunk are you running: Version Nr? Cloud or On-Prem? - Are Splunk and the source VM running in the same network?
But basically, the most common way is to use a Universal Forwarder and monitor the folder where these log files are located.
The time/date should be recognized by Splunk without any further configurations.
Station where the logs are runs on windows 10. Forwarder is there already but i dont know how to configure him for this specific event. Main splunk server is also running on windows 10. We have our own server here so splunk we running is on-prem with the same network as the forwarder client.
Alright, quick and dirty is to add the following stanza to the file
and restart the forwarder
disabled = 0
index = <indexname>
sourcetype = <sourcetype>
The index needs to exist in Splunk and it should reflect the data that it contains. Maybe there is already an index that fits to the data, if not you would have to create one (another topic). You could check the stanzas that are already in the inputs.conf, or do some searches like index=* | stats count by index, sourcetype (not verbose, and only for a timeframe of a few hours) to get a feeling how the data is setup in your environment.
The sourcetype is your choice, but again should be related to the data.
Example: When adding network devices, you could call the index "dell" and the sourcetype "dell:switches". Not sure what kind of logs you are ingesting....
Are you the Admin of the Splunk Environment? I would suggest to at least do the Fundamentals I & II courses.
If you are not the Admin, then ask them what index and sourcetype you should choose. Also they probably want to create an app for the input instead of adding the stanza to the "main" inputs.conf.