All Apps and Add-ons

Splunk add-on for apache web server data verification failing

akash2303
Loves-to-Learn Lots

Hi Guys,

I installed Splunk add-on for apache web server on my UF and configured as per the documentation. I am able to see logs in my indexer but facing issue with the "tags".

Only "web" and "error" tags are being generated.

No data is displayed when i run data validation search:
tag=web tag=inventory tag=activity sourcetype=apache:access OR tag=web tag=inventory tag=activity sourcetype=apache:error

 

Below are the configuration files :

cd /opt/splunkforwarder/etc/apps/Splunk_TA_apache

cat inputs.conf
-bash-4.2$ cat inputs.conf
[monitor:///var/log/httpd/error_log*]
sourcetype=apache:error
index=webserver
disabled = 0

[monitor:///var/log/httpd/access_log*]
sourcetype=apache:access:kv
index=webserver
disabled = 0

I have only one config file "inputs.conf" in the above path.

NOTE: I need this app to work fine in order to use it with Splunk ITSI web server module.

PLEASE HELP!

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

On base installation it seems that there are only those two tags present on tags.conf.

[eventtype=access_log_event]
web = enabled

[eventtype=error_log_event]
error = enabled

 If you are needing more, then you must add those by yourself or use another TA which defined those other.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...