Splunk Enterprise

Splunk Lite: After setting up Forwarders, how do I know what sources they are scanning?

New Member

Hello,

I have a Splunk Lite Cloud license and I have installed Forwarders on all machines. I have forgotten which files and directories I configured them with initially. I need to review and edit the forwarder configuration and the sources it scans, but I do not see a way to do it.

Thanks in advance.

Tags (1)
0 Karma

New Member

I have more information with respect to making changes to the fowarder configuration.

I found the following inputs.conf file for the server grid-web1:

file:
etc/apps/_server_app_weave_jetty/local/inputs.conf:
[monitor:///var/log/nginx] disabled =
false index = weave_web_tier

[monitor:///var/log] disabled = false
index = default

If I wanted to add another director or file to scan, would I add to this file and then restart the splunk service on the server?

0 Karma

Splunk Employee
Splunk Employee

Suggest you create a new question, but yes, just add something like the following to that inputs.conf file and restart the splunk service

[monitor:///path/to/new/directory/or/file.txt] 
disabled = false
index = default
0 Karma

Splunk Employee
Splunk Employee

Try running a search

index=_internal source=*/metrics.log group=per_source_thruput | stats values(series) by host

0 Karma

New Member

Super helpful...thx very much!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!