All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Unix and Linux: Why are syslogs from Linux servers being returned as raw events?

sabaKhadivi
Path Finder
‎09-14-2018 02:05 AM

As I installed linux TA and app , received logs are in the form of raw event and they aren't indexed with this TA.
Linux servers send logs to universal forwarder by syslog, and when i search in the related index, logs seem to be raw events, and field extraction hasn't happened.

The TA is most downloaded in Splunkbase. What is the solution?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-14-2018 04:04 AM

The Splunk TA for Linux does not expect events to arrive via syslog. Events sent via syslog are in a very different format for which you will have to craft your own props.conf settings.

---
If this reply helps you, Karma would be appreciated.
Reply

renjith_nair
Legend
‎09-14-2018 04:02 AM

@sabaKhadivi,

Splunk TA for linux contains a set of scripted inputs to collect system information such as cpu,memory,process etc from the system.

Are you looking for RFC5424 Syslog ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...