I am trying to forward input from a universal forwarder to a regular Splunk installation on my desktop.
The universal forwarder was installed on a linux webapp server where I configured the inputs.conf (in the /etc/system/local dir) to take a scripted input (basically a bash script with a tail command of /var/log/messages piped to grep for a keyword). That is the only input I have configured in local. I restarted, checked logs, etc.
Unforunately I don't see the source, sourcetypes, or host for the linux webapp in the search homepage. I DO see the three windows hosts I installed a forwarder on, however they are pulling a log file for a client service. I feel like I am missing something somewhere. I tested the script for output, which it does. I double checked the syntax in input.conf. Im looking at the splunkd.log and I see the default directives:
TailingProcessor - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk
etc..
I do not see my script://tail_daemon.sh directive.
I'm not sure where else to look for errors.
... View more