I'm very new to splunk and trying to do a POC on my laptop. I installed windows version of splunk and installed the splunk. I'm trying to configure the forwader and receiver to search the event logs on laptop.
For receivers I configured it via splunk web
Manager >> Forwarding and receiving >> Configuring receiving and gave the port as 9997
For forwaders Following files were modified $SPLUNK_HOME\etc\apps\SplunkLightForwarder\default\inputs.conf
Copy paste mistake, my inputs.conf file has the following info.
After above changes I restarted the splunkd and splunk web and tried the following in the search
which is returning nothing......
Did I miss any configurations? do I need to install any windows app for forwarders please advise, thank you very much.
It seems like you're routing the data using the inputs.conf and then trying to search data on the wrong and probably non-existing index? It seems like my_indexers is your tcpout group name. Give this a try and comment let us know whether it works: - remove "_TCP_ROUTING = my_indexers" from your inputs file - put this instead: "index = main" or whatever index you want the data to go to.
answered 05 Oct '11, 22:55
The _audit is an index that gets created automatically and it is used internally by splunk. Try putting the the stanza in your $SPLUNK_HOME/etc/system/local/inputs.conf: [monitor://C:Windows/System32/winevt/Logs/] index = main disabled = false This should bring in all data under Logs dir. Don't forget to do a restart of splunk. Technically speaking, you dont need to forward local data to the localhost (like you're doing with outputs.conf) - your indexer instance can read/monitor files just fine :)
answered 06 Oct '11, 07:26