I have read through the many documentation articles but they are all so broken apart that it is hard to piece together all the needed info.
Under - Manager» Data inputs» Add data» Files & directories» Data preview
It allows to me edit using a regex to define my fields. All my record events start with "At 16:38:54 -0500 - " so a regex of [0-9][0-9]:[0-9][0-9]:[0-9][0-9] or something similar will catch the lines.
This works, but only for the local Splunk server. If I try to grab the data off of a remote system, then I need to use the universal forwarder. This is where my problem starts.
First, I configured the forwarder via the GUI and it appears to work, kind of. It never presented me with any options on how to define the data that it found in the log files.
Then, when I thought it wasn't working, I am unable to figure out how to modify the forwarder to change its configuration. It just runs as a service and I'm unable to modify any options.
So, how do I modify the config of the forwarder? and is it possible to define the data via regex?
This is running 5.0.1 running on Windows for both server and clients.
... View more