Hi,
I have a universal forwarder setup on a Linux x64 machine, with monitor setup from CLI to load a whole folder full of log files. I dono receive data events at the receiver from the log files, some of the files are reported as binary files, but even the others are not showing up. It is a trial license and I have 0 license violations, I could see the forwarder as active in the deployment monitor. I have tried cleaning the indexes and bouncing the Splunk instances on both machines, no help. We need to decide soon if we cant to stick with splunk, only if we can get this one working in the first place..
/opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup = alert.example.com_9997
[tcpout:alert.example.com_9997]
server = alert.example.com:9997
[tcpout-server://alert.example.com:9997]
/opt/splunkforwarder/etc/apps/search/local/inputs.conf
[monitor:///opt/auditLogs]
disabled = false
sourcetype = OAM10gAudit
At receiver:
/opt/splunk/etc/apps/search/local/inputs.conf
[splunktcp://9997]
index = oamaudit
I have a index created as oamaudit. Am I missing anything ?
... View more