Hello
I try to summarize the different steps to onboard automatically a csv file in Splunk
1) On the forwarder:
- I need an inputs.conf to tell the forwarder what data to send. (And eventually props.conf)
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
- I also need an outputs.conf to tell the forwarder where to send the data.
inputs.conf
[monitor://C:\Program Files\SysCheck\Logs\*.txt]
outputs.conf
[tcpout:anyName] server=indexer.myco.com:9997
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf
2) On the indexer
I need to configure the receiving port on http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Enableareceiver
Is it correct?
Thanks
Hi @jip31,
yes it's correct.
Only one additional step: if you have a csv file, you have to also add props.conf (containing INDEXED_EXTRACTION = csv ) to the Forwarder.
Ciao.
Giuseppe
Hi @jip31,
yes it's correct.
Only one additional step: if you have a csv file, you have to also add props.conf (containing INDEXED_EXTRACTION = csv ) to the Forwarder.
Ciao.
Giuseppe
Hi @jip31,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉