https://community.splunk.com/t5/Getting-Data-In/How-to-read-syslog-events-in-Linux-CLI/m-p/306127#M57752 <P>The splunk <CODE>tsidx</CODE> format is not really geared for direct examination but you can, as @aakwah explained. The other thing that you can do is run searches from the CLI, like this:</P> <PRE><CODE>/opt/splunk/bin/splunk search "index=foo bar" </CODE></PRE> <P>Also, you can check your syslog configuration to see where it is writing the incoming data (or your Splunk <CODE>inputs.conf</CODE>) and do a <CODE>tail -f &lt;filename&gt;</CODE> on those files to see the data coming in. You can also use <CODE>tcpdump</CODE> to snoop the incoming port to grab it before/as it comes into syslog.</P> Mon, 22 May 2017 18:47:49 GMT woodcock 2017-05-22T18:47:49Z https://community.splunk.com/t5/Getting-Data-In/How-to-read-syslog-events-in-Linux-CLI/m-p/306125#M57750 <P>hai,</P> <P>I have installed Splunk on cent-os 6.5 and able to see the syslog events on GUI. I want to see those events on CLI too.</P> <P>So what is the path of these events that will be stored so that I can verify in that file.</P> <P>Got some info that the log file will be under $SPLUNK_HOME/var/lib/splunk/[Index_Name] , but i didnt see any file here.</P> <PRE><CODE>[root@Thirumal-LDNS ~]# vim /opt/splunk/var/lib/splunk/ audit/ .dirty_database historydb/ _introspection.dat summary.dat _thefishbucket.dat _audit.dat fishbucket/ _internal.dat kvstore/ summarydb/ authDb/ hashDb/ _internaldb/ main.dat _telemetry/ defaultdb/ history.dat _introspection/ persistentstorage/ _telemetry.dat [root@Thirumal-LDNS ~]# vim /opt/splunk/var/lib/splunk/ </CODE></PRE> <P>thanks in advance.</P> Tue, 29 Sep 2020 14:09:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-read-syslog-events-in-Linux-CLI/m-p/306125#M57750 thirumal_tr 2020-09-29T14:09:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-read-syslog-events-in-Linux-CLI/m-p/306126#M57751 <P>Hello,</P> <P>All data ingested to Splunk are saved in the index at the same location you are accessing above (default path for indexes, and it can be changed).</P> <P>The index is a proprietary data store created by Splunk and it consists of raw files which are not supposed to viewed by a text editor, however if you grep certain log lines you will get the corresponding bucket.</P> <P>For example:</P> <P>grep -R 'port=49872' /opt/splunk/var/lib/splunk//*</P> <P>For more details have a look to this question:<BR /><BR /> <A href="https://answers.splunk.com/answers/6467/what-is-splunk-database-engine.html">https://answers.splunk.com/answers/6467/what-is-splunk-database-engine.html</A></P> <P>Regards</P> Mon, 22 May 2017 14:06:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-read-syslog-events-in-Linux-CLI/m-p/306126#M57751 aakwah 2017-05-22T14:06:19Z https://community.splunk.com/t5/Getting-Data-In/How-to-read-syslog-events-in-Linux-CLI/m-p/306127#M57752 <P>The splunk <CODE>tsidx</CODE> format is not really geared for direct examination but you can, as @aakwah explained. The other thing that you can do is run searches from the CLI, like this:</P> <PRE><CODE>/opt/splunk/bin/splunk search "index=foo bar" </CODE></PRE> <P>Also, you can check your syslog configuration to see where it is writing the incoming data (or your Splunk <CODE>inputs.conf</CODE>) and do a <CODE>tail -f &lt;filename&gt;</CODE> on those files to see the data coming in. You can also use <CODE>tcpdump</CODE> to snoop the incoming port to grab it before/as it comes into syslog.</P> Mon, 22 May 2017 18:47:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-read-syslog-events-in-Linux-CLI/m-p/306127#M57752 woodcock 2017-05-22T18:47:49Z