@gcusello Sorry, I might have confused you. Let me try to illustrate this clearly. I have server.host — this is where the test_log.json log is being collected. There is also splunk.test.host — I configured a Data Input, opened port 765 TCP, assigned it the index test_index, and set the sourcetype to _json. The setup on the splunk.test.host side is complete, and all network access is in place. Now, on the server.host side: In /etc/rsyslog.d/, I created a file called send_splunk.conf. In this config file, I specify the address splunk.test.host, port 765, and the TCP protocol. However, I’m having trouble correctly configuring /etc/rsyslog.d/send_splunk.conf so that rsyslog reads the test_log.json file and sends each new line to Splunk as it appears in the file.
... View more