Archive

Given server addres 123.0.0.456 and path /etc/tomcat/logs/catalina.out how do I find this log in Splunk?

Path Finder

I know how to ssh into the server and view this log. I want to know how I can easily view this log in Splunk without having to memorize abstractions.

So given only this information how do I see the log in Splunk?

Tags (1)
0 Karma
1 Solution

Path Finder

No it's not possible. To find logs with splunk follow this procedure

Get Splunk access (this needs to be updated) and find the secret prod URL and non prod URL to login. 
Enter the secret Index key. Look at the left panel to find the secret string for the Hosts.
Enter source (file path) using left panel or complete path to the file. 

Note: The domain name and the IP address will NOT work. You need the secret host string that's listed on the left side, after searching with the secret index.

Note: Complete logs may not be shown.

View solution in original post

0 Karma

Path Finder

No it's not possible. To find logs with splunk follow this procedure

Get Splunk access (this needs to be updated) and find the secret prod URL and non prod URL to login. 
Enter the secret Index key. Look at the left panel to find the secret string for the Hosts.
Enter source (file path) using left panel or complete path to the file. 

Note: The domain name and the IP address will NOT work. You need the secret host string that's listed on the left side, after searching with the secret index.

Note: Complete logs may not be shown.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Yes, it IS possible and two answers explain how to do so. Yes, getting access to Splunk is critical, but that's assumed if you're asking the question.
Index names aren't secret (at least they shouldn't be). If you have access to Splunk then you'll have access to a least one index. There are ways to find out the indexes you can access, but you can always ask your admin.
Host names also shouldn't be secret. Usually, host names in Splunk are the IP address or DNS name you would use to connect to that host. If not, that was a local decision.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

I got access to splunk. I tried the above answers and they don't work. When I ssh to the IP address I get the expected response, but when I put host=123.0.0.1 index=mysecretindex. I get no results. If indexes aren't secret how do I find the index I have access to using Splunk? Each time I have to go to my notes and copy and paste. The host name is not the full domain name, it's the first portion of the domain. No way I would know the host name unless I search with the index or get lucky trying host names. After all this the logs are being filtered (only fatal logs) and I can't see the request and response I need to fix a defect.

0 Karma

Path Finder

index=* host="123.0.0.456" source="/etc/tomcat/logs/catalina.out"
or do nslookup 123.0.0.456 to get hostname if host field is a name.

0 Karma

SplunkTrust
SplunkTrust

Rather simpel. If being read by a forwarder or local on a Splunk instance, you can filter by a source. For example source="/etc/tomcat/logs/catalina.out" or use wildcards source="*catalina.out". Make sure to select the correct time span.

Skalli

0 Karma