All Apps and Add-ons

How to capture Solaris /var/adm/wtmpx data in splunk ?

gautham_001
New Member

Got a request to capture Solaris /var/adm/wtmpx data in splunk. For testing purpose, downloaded the Splunk Add-on for UNIX and Linux from splunk base 5.2.4 and created a app called Test-IA-wtmpx and deployed via deployment server to remote Solaris test machine. With the following configuration details:

/opt/splunk/etc/apps/Test-IA-wtmpx/

/bin/ before deploying to remote Solaris machine lastlog.sh who.sh executable are given required permission by executing the "chmod +x" on the .sh files

Created a local directory with below configuration in the inputs.conf

**Testing to pull the data file wtmpx** 

#Shows current user sessions
[script://./bin/who.sh]
sourcetype = who
source = who
interval = 150
index = unix
disabled = 0

# Shows last login time for users who have ever logged in
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
index = unix
disabled = 0


[monitor:///var/adm/wtmpx]
index = unix
disabled = 0

In forwarder management console Test-IA-wtmpx app was enabled and the restart option was also kept enabled, so that whenever the app is reloaded from DP instance the app should get restarted.

But still, I could not see the data being ingested in to splunk by executing the below simple query.

index=unix source="/var/adm/wtmpx.txt" host=node1

Can any one correct me if this is not the correct procedure to capture the wtmpx data in splunk.

Tags (3)
0 Karma

gautham_001
New Member

hey any help on this will be much appreciated !!!

0 Karma

kannu
Communicator

Can you please provide logs of your splunkd.log file by greping ExecProcessor on that file .

0 Karma

kannu
Communicator

cat $SPLUNK_HOME/opt/splunkforwarder/var/log/splunk/splunkd.log | grep -i " ExecProcessor"

0 Karma

kannu
Communicator

your last monitor entry is i think incorrect

It should be

for all the file text file

[monitor:///var/adm/*.txt]
index = unix
disabled = 0

for particular file text file

[monitor:///var/adm/wtmpx.txt]
index = unix
disabled = 0

and make sure that you have created index of named UNIX in your indexer or search head where ever you are sending your data according to outputs.conf

0 Karma

gautham_001
New Member

Hi kannu, thanks for your support on this. I had tried above steps but it did not work, still unable to get the data in splunk. Kindly guide me on this.

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...