File monitoring inputs for Splunk Add-on for Unix and Linux
Query 1-->I have installed the above mentioned app to monitor the file monitoring input from the same. When I enable the default file monitoring inputs I am getting source and source type as attached in the data. But I do not see much interesting fields for the same source and source type. Please assist me with the exact source and source type along with the list of interesting fields it will extract via field extraction.
Query 2-->I have installed the above mentioned app to monitor the file monitoring input from the same. When I updated inputs.conf with new file monitoring inputs I am not getting data for the new input. Please let me know why and how can we work on the same to get exact data from new input files.
Hi @AK_Splunk,
I suppose that you installed the last version of this Add-On.
Anyway, there are many inputs to enable, reading files and executing scripts to have many different sources and sourcetypes, whay do you say that you don't see much interesting fields?
Which ones did you enabled?
as you can see at https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/About you have, by default: 6 monitored folders and 35 scripted inputs, summarizing 44 different sourcetype!
About the second question, could you share you updated inputs.conf (that I suppose you did in the app local folder)?
Did you restarted Forwarder after conf files updating?
Ciao.
Giuseppe
App version installed of this Add-On is 8.7.0
I have only enabled 6 file/folder default file monitoring inputs in the app and have added 3 more file paths in same format as the default file monitoring input.
I am looking for interesting fields like loglevel messages timing etc .
The souretypes of the scripted inputs are shared in the document. I am trying to understand the sourcetype of file monitoring input .
default inputs.conf stanza
[monitor:///Library/Logs]
disabled = 1
[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
disabled = 1
[monitor:///var/adm]
whitelist=(\.log|log$|messages)
disabled = 1
[monitor:///etc]
whitelist=(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$)
disabled = 1
### bash history
[monitor:///root/.bash_history]
disabled = true
sourcetype = bash_history
[monitor:///home/*/.bash_history]
disabled = true
sourcetype = bash_history
updated inputs.conf stanza
[monitor:///var/log/messages]
disabled = 0
index = unix_test_normal
[monitor:///Library/Logs]
disabled = 0
index = unix_test_normal
[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
disabled = 0
index = unix_test_normal
[monitor:///var/adm]
whitelist=(\.log|log$|messages)
disabled = 0
index = unix_test_normal
[monitor:///etc]
whitelist=(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$)
disabled = 0
index = unix_test_normal
Yes I have performed restart.
Hi @AK_Splunk,
configurations are correct, which user are you using to run Splunk on Forwarder?
if not root, check if this user has grants to read those files.
I suppose that you copied inputs.conf file in the local folder before update, otherwise you lose your updates.
Is this forwarder managed by a Deployment Server? you can check on the DS or in $SPLUNK_HOME/etc/system/local/deploymentclient.conf.
Ciao.
Giuseppe
Hi @gcusello
Thanks for you quick response.
The permissions are root itself and have read only permissions too.
I suspect it is some issue wrt to the app itself.
Even for the default inputs if I enable them the data that is coming is not having good interesting fields like log level.
Can you confirm what all interesting fields we should be getting for default inputs file monitoring?
As I am using this app for monitoring /var/log/message OS logs with an expectations that I will be having by default props that will extract me more common fields like log_level, service names etc.
Please assist me on the same.
Hi @AK_Splunk,
in this Add-On there are, by default, six file monitoring inputs, that mus be enabled (as you did) copying inputs.conf from the default folder to the local folder and then changing "disabled=1" to "disabled=0",
Don't modify inputs.conf in the default folder!
I continue to not understand what you mean with "all interesting fields we should be getting for default inputs file monitoring?": enabling these six inputs, Forwarders reads the files in the related folders and send them to Splunk where they are parsed and indexed so you have available all the relevant fields.
One additional question:did you installed the Linux Add-On also on Indexers?
Add-on are used on Forwarders for inputting and on Indexers or on Heavy Forwarders (if present) for parsing and merging, and on Search Heads for search time parsing).
maybe you don't see the extracted fields because you didn't installed the Add-On on Indexers and Search Heads.
Ciao.
Giuseppe
Hi @AK_Splunk,
if you have intermediate Heavy Forwarders, you have to install the TA also there, but your issue shouldn't be related to this because fields are extracted at serahc time, so only the TA installed on Search Head is relevant.
Anyway, I continue to not understand what you mean with "all interesting fields we should be getting for default inputs file monitoring?": enabling the above six inputs, Forwarders reads the files in the related folders and send them to Splunk where they are parsed and indexed so you have available all the relevant fields.
Ciao.
Giuseppe