So i created an app folder... and indexes.conf .. and an inputs.conf to monitor a directory.
I then restarted splunk via CLI and everything was perfect. Lots of data being indexed immediately.
I realized my sourcetype was wrong, so i...
stopped splunk
made my change to the inputs.conf file for the name of the sourcetype i wanted
did a splunk clean eventdata
started splunk
[monitor:///data/splunk/mydata/]
index = mydata
sourcetype = mysourcetype
crcSalt =
disabled = false
i have 0 events, and can't seem to populated the index again.
does this have to do with the "crcsalt = " line i have in my inputs.conf?
i have even, created a new different index ... still no go.
thoughts?
... View more