Splunk Lite: After setting up Forwarders, how do I...

danieljoleary · ‎10-10-2018

Hello,

I have a Splunk Lite Cloud license and I have installed Forwarders on all machines. I have forgotten which files and directories I configured them with initially. I need to review and edit the forwarder configuration and the sources it scans, but I do not see a way to do it.

Thanks in advance.

danieljoleary · ‎10-11-2018

I have more information with respect to making changes to the fowarder configuration.

I found the following inputs.conf file for the server grid-web1:

file:
etc/apps/_server_app_weave_jetty/local/inputs.conf:
[monitor:///var/log/nginx] disabled =
false index = weave_web_tier

[monitor:///var/log] disabled = false
index = default

If I wanted to add another director or file to scan, would I add to this file and then restart the splunk service on the server?

sduff_splunk · ‎10-13-2018

Suggest you create a new question, but yes, just add something like the following to that inputs.conf file and restart the splunk service

[monitor:///path/to/new/directory/or/file.txt] 
disabled = false
index = default

sduff_splunk · ‎10-10-2018

Try running a search

index=_internal source=*/metrics.log group=per_source_thruput | stats values(series) by host

danieljoleary · ‎10-11-2018

Super helpful...thx very much!

Splunk Lite: After setting up Forwarders, how do I know what sources they are scanning?

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!