topic monitor log file macOs in Monitoring Splunk

monitor log file macOs

YANN84 — Sun, 19 Nov 2017 02:28:30 GMT

i have recently installed Splunk entreprise to play with it a little and I am trying to get the monitor my log files or CPU activity on my mac but I am unable to unable to create to have a vizualisation once everything is loaded. Here is wht I do :

Settings/data inputs/files & directory/

From this menu I click on new to add a new thing to monitor. Then I I browse to the file and diredtory I want to monitor which is inside the following path:

   Applications/Utilities/ActivityMonotor.app/Contents/MacOs/Activity Monitor

Once this loaded O am still unable to have a visualization. I am inside the right folder /file or that is not the way I monitor files on Splunk?

Re: monitor log file macOs

kamlesh_vaghela — Sun, 19 Nov 2017 02:56:28 GMT

HI @YANN84,

When you configuring the file, you have selected "File" by clicking on the browse button.After clicking next button you were asked for "Set Source Type". At this point do you able to find any events in event bar??
If yes then try below search in all time to verify the data.

source="*YOUR_FILE_NAME*" sourcetype="YOUR_SOURCE_TYPE"

source="*YOUR_FILE_NAME*"

sourcetype="YOUR_SOURCE_TYPE"

If you found data then there is no problem in file monitoring. if found then check below link.

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/MonitorfilesanddirectorieswithSplunkWeb

If we able to monitor file and still not able to see any visualization then next we have to check fields which are used in visualization panels are properly extracted or not. To verify this we can check execute above search OR any visualization's search and check extracted filed in a Left side panel. If we are not able to see then there is a problem with extraction. Please see below link.

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/ExtractfieldsinteractivelywithIFX

I hope this will help you.

Happy Splunking

Re: monitor log file macOs

YANN84 — Sun, 19 Nov 2017 12:17:23 GMT

thanks . I seem to see where my problem is, but still not able to sort it. My source is set to default and I have changed the app context to Monitoring console from Search & Reporting. I do not think my files is being read properly. My event looks odd , similar to this :

 xCF\xFA\xCD ...

and lots of zeros; absolutely horrrendous...

Re: monitor log file macOs

Richfez — Sun, 19 Nov 2017 13:04:13 GMT

I think the file you are monitoring is not a log file? Is that the actual executable that runs the Activity Monitor?

In recent versions of OSX, Apple has made this hard. They built a new logging mechanism that's binary (like systemd in *nix) but haven't gotten around to building a conversion-to-text utility. Or at least one that will run automatically all the time. Here's an answer that may [not] help on trying to ingest that logging.

If nothing else, that hopefully will help you find an answer. When/if you do, please update us!

(Also, it's very possible someone's figured out a good way to do this, they just haven't seen this question yet!)

Re: monitor log file macOs

YANN84 — Sun, 19 Nov 2017 14:42:00 GMT

Thanks; I think that's the problem. I'll try on my windows first then try to figure it out on my mac.

Re: monitor log file macOs

afamoyib — Tue, 21 Nov 2017 21:49:05 GMT

There is actually an app from splunk that monitors nix environments. You can review the inputs.conf file to get the information you want. But since it is your os, i will suggest deploy it and you can see all the information you want from your os and add to it.

https://splunkbase.splunk.com/app/833/

Splunk TA NIX

Re: monitor log file macOs

Herman — Sat, 20 Mar 2021 21:34:56 GMT

Why there is nothing happened when I click 'save' for setting of the add-on? I am still trying to figure out how to use the add-on.