I am trying to index new data and it is not happening.
I am indexing a single log file that is being written to by the server when ever new events are added.
I put this statement into the MSIADDED inputs on the universal forwarder because that is where my current input live.
This is what I added.
[Monitor://D:\Software\Waratek\HR-Config\HR.log]
disabled = 0
sourcetype = waratek
index = main
This is sample of the file.
2018-05-02 11:02:09,851 CEF:0|ARMR:CWE-114: Process Control|CWE-114: Process Control|1.0|Process Forking - 02|Load Rule|Low|outcome=success
2018-05-02 11:02:13,252 CEF:0|ARMR:CWE-114: Process Control|CWE-114: Process Control|1.0|Process Forking - 02|Link Rule|Low|outcome=success
2018-05-02 11:02:13,263 CEF:0|ARMR:CWE-114: Process Control|CWE-114: Process Control|1.0|Process Forking - 03|Load Rule|Low|outcome=success
2018-05-02 11:02:14,135 CEF:0|ARMR:CWE-114: Process Control|CWE-114: Process Control|1.0|Process Forking - 03|Link Rule|Low|outcome=success
I can see the sourcetype show up in data summary; however, when I search for the data there is nothing there. Any suggestions here?
↧