Solved: I've configured inputs.conf for a Splunk forwarder... - Page 2

kemmlli · ‎06-14-2016

Hi,

I'm evaluating Splunk for the first time. I installed a forwarder on a Windows server and I configured the inputs.conf (/etc/system/local) like this:

[default]
host = name1

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[monitor://C:\Program Files (x86)\FileZilla Server\Logs\]
host = name1
index=FTP_logs_2
source="C:\Program Files (x86)\FileZilla Server\Logs\"
disabled = 0
whitelist=.log$
#ignoreOlderThan = 7d
#blacklist=C:\logs\onelog.log

The goal is to monitor FileZilla logs.
Index has been created on indexer.

When I'm trying to search data by typing name1 on the Splunk search bar, I get no data. name1 is also not on the host tab in Data Summary button. I need first to search the index in order to see data and search with a random word for finding what I want.

Can anyone help me ?
Thanks,

davebrooking · ‎07-07-2016

By default Splunk will only search the main index. You can add extra default indexes to different roles from Settings > Access controls > Roles select the appropriate role, and in the section "Indexes searched by default" add the index FTP_logs_2.

However, the search manual states for efficient searches you should be more specific, adding indexes in this way will search through more data

Dave

View solution in original post

I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life