Using Splunk Enterprise 6.2.2
The Problem: No data ingested.
We have several deployed APPs and would like to monitor changes to inputs.conf file on our universal forwarders. We have created a new app called confMonitor. It's input file is shown below.
[monitor://C:\Program Files\splunkuniversalforwarder\etc\apps\windows\local\inputs.conf]
disabled = false
sourcetype = syslog
index = testdata
There are three APPS on this universal forwarder; confMonitor, windows and sendtoindexer; only the later two function.
The splunkd.log file shows the following; no other messages exist about this APP or inputs file.
08-XX-20XX 10:23:56.277 -0400 INFO TailingProcessor - Adding watch on path: C:\Program Files\splunkuniversalforwarder\etc\apps\windows\local\inputs.conf.
sourcetype=syslog is a valid sourcetype; index=testdata is a valid index. We tried using crcSalt = ; we've tried csv as a sourcetype. We have stopped/started the universal forwarder in order to re-read the APPS on the universal forwarder. We do not use a deployment server. It looks like fschange from previous versions of Splunk may have worked, but I think it's been deprecated. Help is appreciated.
↧