Splunk Enterprise

Splunk Lite: After setting up Forwarders, how do I know what sources they are scanning?

danieljoleary
New Member

Hello,

I have a Splunk Lite Cloud license and I have installed Forwarders on all machines. I have forgotten which files and directories I configured them with initially. I need to review and edit the forwarder configuration and the sources it scans, but I do not see a way to do it.

Thanks in advance.

Tags (1)
0 Karma

danieljoleary
New Member

I have more information with respect to making changes to the fowarder configuration.

I found the following inputs.conf file for the server grid-web1:

file:
etc/apps/_server_app_weave_jetty/local/inputs.conf:
[monitor:///var/log/nginx] disabled =
false index = weave_web_tier

[monitor:///var/log] disabled = false
index = default

If I wanted to add another director or file to scan, would I add to this file and then restart the splunk service on the server?

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

Suggest you create a new question, but yes, just add something like the following to that inputs.conf file and restart the splunk service

[monitor:///path/to/new/directory/or/file.txt] 
disabled = false
index = default
0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

Try running a search

index=_internal source=*/metrics.log group=per_source_thruput | stats values(series) by host

0 Karma

danieljoleary
New Member

Super helpful...thx very much!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...