https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107277#M22550 <P>thanks for the confirmation. and where is this data stored? Is this meaning that i can't use the syslog messages that Splunk received with other syslog software?</P> Tue, 24 May 2011 08:58:20 GMT channy 2011-05-24T08:58:20Z https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107275#M22548 <P>I install splunk and add syslog port as the input data. i wonder where splunk store the syslog that it received? Do splunk differentiate between the syslog message and the indexed data?</P> Mon, 23 May 2011 09:24:53 GMT https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107275#M22548 channy 2011-05-23T09:24:53Z https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107276#M22549 <P>No, it does not differentiate. All data processed by Splunk - be it syslog data, files being read, or other network sockets - is stored in various Splunk indexes. The syslog message <STRONG>IS</STRONG> the indexed data.</P> Mon, 23 May 2011 13:57:25 GMT https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107276#M22549 dwaddle 2011-05-23T13:57:25Z https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107277#M22550 <P>thanks for the confirmation. and where is this data stored? Is this meaning that i can't use the syslog messages that Splunk received with other syslog software?</P> Tue, 24 May 2011 08:58:20 GMT https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107277#M22550 channy 2011-05-24T08:58:20Z https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107278#M22551 <P>You could instead of directly ingesting syslog messages into Splunk to first store in a file remote syslog events, using for example rsyslog (<A href="http://www.rsyslog.com/storing-messages-from-a-remote-system-into-a-specific-file/">http://www.rsyslog.com/storing-messages-from-a-remote-system-into-a-specific-file/</A>), and to point Splunk to that file.</P> Tue, 24 May 2011 09:48:09 GMT https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107278#M22551 imrago 2011-05-24T09:48:09Z https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107279#M22552 <P>Any data Splunk indexes is stored in an index data structure called a bucket. The internal format of Splunk's buckets is proprietary to the product - so you can't (easily) go poking about inside of a bucket trying to read and understand it. </P> <P>If you wish to have other software work with your log data, there are some options. Imrago's suggestion of using rsyslog first (and letting splunk read the files it makes) is a good one. Also, you can configure splunk to forward events over a TCP socket to thirs party software.</P> Tue, 24 May 2011 13:28:40 GMT https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107279#M22552 dwaddle 2011-05-24T13:28:40Z https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107280#M22553 <P><A href="http://www.splunk.com/base/Documentation/latest/Deploy/Forwarddatatothird-partysystemsd">http://www.splunk.com/base/Documentation/latest/Deploy/Forwarddatatothird-partysystemsd</A></P> Tue, 24 May 2011 13:32:13 GMT https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107280#M22553 dwaddle 2011-05-24T13:32:13Z https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107281#M22554 <P>thanks imrago...very helpful tool....<BR /> thanks dwaddle for the clarification....</P> Wed, 25 May 2011 06:44:10 GMT https://community.splunk.com/t5/Getting-Data-In/where-splunk-store-syslog-data/m-p/107281#M22554 channy 2011-05-25T06:44:10Z