Configure data collection on forwarders with inputs.conf
You can configure data inputs on a forwarder by editing the inputs.conf
configuration file.
In nearly all cases, edit inputs.conf
in the $SPLUNK_HOME/etc/system/local
directory. If you have an app installed and want to make changes to its input configuration, edit $SPLUNK_HOME/etc/apps/<appname>/local/inputs.conf
. For example, if you have the Splunk Add-on for Unix and Linux installed, you would make edits in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf
.
Do not make changes to the inputs.conf in $SPLUNK_HOME/etc/system/default
. When you upgrade, the installation overwrites that file, which removes any changes you made.
Whenever you make a change to a configuration file, you must restart the forwarder for the change to take effect.
Edit inputs.conf
- Using your operating system file management tools or a shell or command prompt, navigate to
$SPLUNK_HOME/etc/system/local
. - Open
inputs.conf
for editing. You might need to create this file if it does not exist. - Add your data inputs.
- Once you have added your inputs, save the file and close it.
- Restart the forwarder.
- On the receiving indexer, log in and load the Search and Reporting app.
- Run a search and confirm that you see results from the forwarder that you set up the data inputs on:
host=<forwarder host name or ip address> source=<data source> earliest=1h
If you don't see any results, visit the Troubleshooting page for possible resolution.
Deploy a light forwarder | Configure forwarders with outputs.conf |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!