Alright, quick and dirty is to add the following stanza to the file $SPLUNK_HOME/etc/system/local/inputs.conf and restart the forwarder [monitor://C:\path\to\your\logfile\]
disabled = 0
index = <indexname>
sourcetype = <sourcetype> Note: The index needs to exist in Splunk and it should reflect the data that it contains. Maybe there is already an index that fits to the data, if not you would have to create one (another topic). You could check the stanzas that are already in the inputs.conf, or do some searches like index=* | stats count by index, sourcetype (not verbose, and only for a timeframe of a few hours) to get a feeling how the data is setup in your environment. The sourcetype is your choice, but again should be related to the data. Example: When adding network devices, you could call the index "dell" and the sourcetype "dell:switches". Not sure what kind of logs you are ingesting.... Are you the Admin of the Splunk Environment? I would suggest to at least do the Fundamentals I & II courses. If you are not the Admin, then ask them what index and sourcetype you should choose. Also they probably want to create an app for the input instead of adding the stanza to the "main" inputs.conf. Hope this helps. BR Ralph
... View more
