All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

sourcetype squid

dsenior_trlm
New Member
‎07-07-2011 10:13 AM

Splunk works only for sourcetype "squid", my logs currently are "Access-11", how do I change that?

0 Karma
Reply

ajstokvis
New Member
‎10-19-2011 12:04 AM

I dont have a inputs.conf in my opt/splunk/etc/apps/Splunkforsquid/local directory.
Anyone know why?

0 Karma
Reply

ajstokvis
New Member
‎10-20-2011 07:01 AM

Thank you very much!!!!!

After a restart of splunk it works now.

0 Karma
Reply

ajstokvis
New Member
‎10-19-2011 02:48 AM

At first thanks for your help!!

I made the inputs.conf now, but i still see "no results".
Do i need to restart anything?

0 Karma
Reply

Ayn
Legend
‎10-19-2011 02:37 AM

That's your squid configuration, not your Splunk configuration.

I take it you haven't added the Squid logs as an input in Splunk. As a start, putting this in an inputs.conf (for instance in /opt/splunk/etc/apps/SplunkforSquid/local) should get you going:

[monitor:///var/log/squid]
disabled = false
sourcetype = squid
0 Karma
Reply

ajstokvis
New Member
‎10-19-2011 12:33 AM

Where do i see this?
This is what is see in my squid.conf:

Logging

access_log /var/log/squid/access.log squid

0 Karma
Reply

Ayn
Legend
‎10-19-2011 12:30 AM

What sourcetype do you have for your Squid logs? You need to set this sourcetype to "squid", or at least create a sourcetype alias so that a search for 'sourcetype="squid"' will give results from the Squid logs.

0 Karma
Reply

ajstokvis
New Member
‎10-19-2011 12:24 AM

But what do i have to adjust?
Think i am not really understanding it.
When i go to the splunkforsquid page it shows no results found.

My log files are in /var/log/squid/ and are called access.log en acces.log.2.gz and 3 and so on untill acces.log.5.gz.

Can you please help me?
Would realy like to get this working because the web proxy report for clearos has not al lot off information.

0 Karma
Reply

Ayn
Legend
‎10-19-2011 12:17 AM

There should be no inputs.conf in your local directory. In fact Splunk for Squid doesn't have its own inputs.conf at all. Rather it assumes that there is already an input setup with sourcetype "squid" and uses this sourcetype to find the Squid logs.

0 Karma
Reply

Ayn
Legend
‎07-07-2011 01:05 PM

The easiest way to fix the problem is to change the sourcetype, as ageld explains in the answer above.

One drawback with just changing the sourcetype is that it won't affect already indexed data, so data that is already indexed will still not be viewable in the Splunk for Squid app. To remediate this, you can rename the "Access-11" sourcetype to "squid" at search time.

In props.conf:

[Access-11]
rename = squid
0 Karma
Reply

ageld
Path Finder
‎07-07-2011 11:11 AM

How you defined the data input for this log? Splunk reading a local log Squid log file? If that's the case under: <splunk_directory>/etc/apps/<Splunk_for_squid>/local directory modify file inputs.conf:

[monitor:///var/log/<snortlogfilename>]
disabled = false
followTail = 0
sourcetype = squid
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...