All Apps and Add-ons

Couldn't find ns_log sourcetype for Citrix Netscaler app

ozirus
Path Finder

Hi,

I'm trying to install Netscaler app for Splunk. My syslog log data is being pushed to a local file on the same machine with Splunk since there are 2 different NS machines. I want splunk to gather its data from this local file. While I'm defining Data Input from local file, there is no suitable source type for NS (ns_log). How can I solve this? When I try to define ns_log sourcetype by myself, it says there is already a ns_log sourcetype.

Thanks

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

TL;DR - manually set up Splunk to watch your file(s):
1) Go to $SPLUNK_HOME/etc/apps/Splunk_TA_Citrix-NetScaler
2) Create a directory named "local"
3) Create a file named inputs.conf in the local directory
4) The contents of inputs.conf should look like this:

[monitor://path_to_your_log_file]
disabled = false
sourcetype = ns_log
index = netscaler

5) Restart Splunk

Explanation:
When you install the Netscaler app, a folder named Splunk_TA_Citrix-NetScaler will get created in SPLUNK_HOME/etc/apps. There is an inputs.conf file in here that defines a UDP listener on port 8514 that has a sourcetype of ns_log. So, the NetScaler app is expecting you to send data directly from your NetScaler to Splunk instead of to a file. There are corresponding [ns_log] stanzas in props.conf to extract fields - this is the part giving you grief as the setup wizard wants to overwrite these stanzas with your import. By manually creating the input, we can skip all this grief.

View solution in original post

jconger
Splunk Employee
Splunk Employee

TL;DR - manually set up Splunk to watch your file(s):
1) Go to $SPLUNK_HOME/etc/apps/Splunk_TA_Citrix-NetScaler
2) Create a directory named "local"
3) Create a file named inputs.conf in the local directory
4) The contents of inputs.conf should look like this:

[monitor://path_to_your_log_file]
disabled = false
sourcetype = ns_log
index = netscaler

5) Restart Splunk

Explanation:
When you install the Netscaler app, a folder named Splunk_TA_Citrix-NetScaler will get created in SPLUNK_HOME/etc/apps. There is an inputs.conf file in here that defines a UDP listener on port 8514 that has a sourcetype of ns_log. So, the NetScaler app is expecting you to send data directly from your NetScaler to Splunk instead of to a file. There are corresponding [ns_log] stanzas in props.conf to extract fields - this is the part giving you grief as the setup wizard wants to overwrite these stanzas with your import. By manually creating the input, we can skip all this grief.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...