All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to capture Solaris /var/adm/wtmpx data in splunk ?

gautham_001
New Member
‎05-01-2018 07:21 AM

Got a request to capture Solaris /var/adm/wtmpx data in splunk. For testing purpose, downloaded the Splunk Add-on for UNIX and Linux from splunk base 5.2.4 and created a app called Test-IA-wtmpx and deployed via deployment server to remote Solaris test machine. With the following configuration details:

/opt/splunk/etc/apps/Test-IA-wtmpx/

/bin/ before deploying to remote Solaris machine lastlog.sh who.sh executable are given required permission by executing the "chmod +x" on the .sh files

Created a local directory with below configuration in the inputs.conf 

**Testing to pull the data file wtmpx** 

#Shows current user sessions
[script://./bin/who.sh]
sourcetype = who
source = who
interval = 150
index = unix
disabled = 0

# Shows last login time for users who have ever logged in
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
index = unix
disabled = 0


[monitor:///var/adm/wtmpx]
index = unix
disabled = 0

In forwarder management console Test-IA-wtmpx app was enabled and the restart option was also kept enabled, so that whenever the app is reloaded from DP instance the app should get restarted.

But still, I could not see the data being ingested in to splunk by executing the below simple query.

index=unix source="/var/adm/wtmpx.txt" host=node1

Can any one correct me if this is not the correct procedure to capture the wtmpx data in splunk.

Tags (3)
0 Karma
Reply

gautham_001
New Member
‎05-02-2018 07:31 AM

hey any help on this will be much appreciated !!!

0 Karma
Reply

kannu
Communicator
‎05-02-2018 07:46 AM

Can you please provide logs of your splunkd.log file by greping ExecProcessor on that file .

0 Karma
Reply

kannu
Communicator
‎05-02-2018 07:47 AM

cat $SPLUNK_HOME/opt/splunkforwarder/var/log/splunk/splunkd.log | grep -i " ExecProcessor"

0 Karma
Reply

kannu
Communicator
‎05-02-2018 07:51 AM

your last monitor entry is i think incorrect

It should be

for all the file text file

[monitor:///var/adm/*.txt]
index = unix
disabled = 0

for particular file text file

[monitor:///var/adm/wtmpx.txt]
index = unix
disabled = 0

and make sure that you have created index of named UNIX in your indexer or search head where ever you are sending your data according to outputs.conf

0 Karma
Reply

gautham_001
New Member
‎05-09-2018 02:33 AM

Hi kannu, thanks for your support on this. I had tried above steps but it did not work, still unable to get the data in splunk. Kindly guide me on this.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top