All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to Ingest Splunk Server Data into Index?

hart918
Explorer
‎08-16-2022 06:12 AM

I am trying to get the Splunk server data, such as system logs and audit logs, into the same index as my other Linux servers using the Splunk Linux App.  How do I get this data ingested into my Linux Index?  So far the forums and discussion groups only refer to the Splunk software data when I'm trying to get the server data.  I have the app installed on each of my Splunk Servers in the /app folder.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-16-2022 09:48 AM

The inputs.conf file is where the destination index name is specified so that is where you would tell Splunk to put the data in the "linux" index.

Verify Splunk has permission to read the monitored files.  That's the most common reason for data not showing up in Splunk.  There should be messages in _internal to that effect.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-16-2022 07:25 AM

Hi @hart918,

are you speaking of Splunk or Linux system and audit logs?

if Splunk, as @richgalloway said, they automatically are in _internal and _audit indexes.

If you're speaking of Linux system and audit logs, they usually are in the "os" index, but it must be configured, by GUI or by conf files.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-16-2022 07:12 AM

When you say "Splunk server data" are you referring to Splunk's own logs (index=_internal) or the server on which Splunk is running (/var/log)?

Which inputs have you enabled in the Splunk Linux App?

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

hart918
Explorer
‎08-16-2022 07:25 AM

I'm referring to the server data, /var/log/*.  Within the app's input.conf I have everything enabled, but when I do a search,  I don't see any log data for the server.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-16-2022 09:48 AM

The inputs.conf file is where the destination index name is specified so that is where you would tell Splunk to put the data in the "linux" index.

Verify Splunk has permission to read the monitored files.  That's the most common reason for data not showing up in Splunk.  There should be messages in _internal to that effect.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...