All Apps and Add-ons

Splunk Add-on for Unix and Linux: Why are syslogs from Linux servers being returned as raw events?

sabaKhadivi
Path Finder

As I installed linux TA and app , received logs are in the form of raw event and they aren't indexed with this TA.
Linux servers send logs to universal forwarder by syslog, and when i search in the related index, logs seem to be raw events, and field extraction hasn't happened.

The TA is most downloaded in Splunkbase. What is the solution?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The Splunk TA for Linux does not expect events to arrive via syslog. Events sent via syslog are in a very different format for which you will have to craft your own props.conf settings.

---
If this reply helps you, Karma would be appreciated.

renjith_nair
Legend

@sabaKhadivi,

Splunk TA for linux contains a set of scripted inputs to collect system information such as cpu,memory,process etc from the system.

Are you looking for RFC5424 Syslog ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...