Splunk Enterprise
Highlighted

Splunk Lite: After setting up Forwarders, how do I know what sources they are scanning?

New Member

Hello,

I have a Splunk Lite Cloud license and I have installed Forwarders on all machines. I have forgotten which files and directories I configured them with initially. I need to review and edit the forwarder configuration and the sources it scans, but I do not see a way to do it.

Thanks in advance.

Tags (1)
0 Karma
Highlighted

Re: Splunk Lite: After setting up Forwarders, how do I know what sources they are scanning?

Splunk Employee
Splunk Employee

Try running a search

index=_internal source=*/metrics.log group=per_source_thruput | stats values(series) by host

0 Karma
Highlighted

Re: Splunk Lite: After setting up Forwarders, how do I know what sources they are scanning?

New Member

Super helpful...thx very much!

0 Karma
Highlighted

Re: Splunk Lite: After setting up Forwarders, how do I know what sources they are scanning?

New Member

I have more information with respect to making changes to the fowarder configuration.

I found the following inputs.conf file for the server grid-web1:

file:
etc/apps/serverappweavejetty/local/inputs.conf:
[monitor:///var/log/nginx] disabled =
false index = weavewebtier

[monitor:///var/log] disabled = false
index = default

If I wanted to add another director or file to scan, would I add to this file and then restart the splunk service on the server?

0 Karma
Highlighted

Re: Splunk Lite: After setting up Forwarders, how do I know what sources they are scanning?

Splunk Employee
Splunk Employee

Suggest you create a new question, but yes, just add something like the following to that inputs.conf file and restart the splunk service

[monitor:///path/to/new/directory/or/file.txt] 
disabled = false
index = default
0 Karma