Hi
I have a Splunk Universal Forwarder installed on Windows Systems and I am able to get Installed Softwares (1st phase PoC)
Now I intend to get CSV reports from AV server for all Windows Systems and use them to further analyse my Systems Status.
The AV CSV report will be updated on a daily basis by IT team and I intend to pick up the changes only and update my analysis.
I have tried to do a pilot run of uploading a CSV file using UF on my own windows 10 system as per below steps:
1. Created a custom CSV file.
2. Stopped the UF
3. Added a monitor command in the inputs.conf file at the path
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local
4. The inputs.conf entry reads as below:
[monitor://C:\Users\\Desktop\splunk\*.csv]
disabled = 0
index = index1
sourcetype = csv1
5. Restarted the Splunk UF
6. I could see the logs in the Index
7. Prob 1: Now I tried to change the CSV file and added some more rows but the same were not immidiately visible.
8. Prob 2: I tried to create a new Index index2 and change the inputs.conf file to redirect the logs to new index, but I see no logs in SPlunk Search
9. Prob3: I have created a completely new file and changed its location but kept the Index to index1, but still I dont see any logs.
I am currently perplexed as to how exactly the Splunk Forwarder will behave.
P.S. I have not edited the props.conf or transform.conf files, as I am not sure that they are needed.
Any HELP highly Appreciated
Regards
VS
↧