All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to capture Solaris /var/adm/wtmpx data in splunk ?

gautham_001
New Member
‎05-01-2018 07:21 AM

Got a request to capture Solaris /var/adm/wtmpx data in splunk. For testing purpose, downloaded the Splunk Add-on for UNIX and Linux from splunk base 5.2.4 and created a app called Test-IA-wtmpx and deployed via deployment server to remote Solaris test machine. With the following configuration details:

/opt/splunk/etc/apps/Test-IA-wtmpx/

/bin/ before deploying to remote Solaris machine lastlog.sh who.sh executable are given required permission by executing the "chmod +x" on the .sh files

Created a local directory with below configuration in the inputs.conf 

**Testing to pull the data file wtmpx** 

#Shows current user sessions
[script://./bin/who.sh]
sourcetype = who
source = who
interval = 150
index = unix
disabled = 0

# Shows last login time for users who have ever logged in
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
index = unix
disabled = 0


[monitor:///var/adm/wtmpx]
index = unix
disabled = 0

In forwarder management console Test-IA-wtmpx app was enabled and the restart option was also kept enabled, so that whenever the app is reloaded from DP instance the app should get restarted.

But still, I could not see the data being ingested in to splunk by executing the below simple query.

index=unix source="/var/adm/wtmpx.txt" host=node1

Can any one correct me if this is not the correct procedure to capture the wtmpx data in splunk.

Tags (3)
0 Karma
Reply

gautham_001
New Member
‎05-02-2018 07:31 AM

hey any help on this will be much appreciated !!!

0 Karma
Reply

kannu
Communicator
‎05-02-2018 07:46 AM

Can you please provide logs of your splunkd.log file by greping ExecProcessor on that file .

0 Karma
Reply

kannu
Communicator
‎05-02-2018 07:47 AM

cat $SPLUNK_HOME/opt/splunkforwarder/var/log/splunk/splunkd.log | grep -i " ExecProcessor"

0 Karma
Reply

kannu
Communicator
‎05-02-2018 07:51 AM

your last monitor entry is i think incorrect

It should be

for all the file text file

[monitor:///var/adm/*.txt]
index = unix
disabled = 0

for particular file text file

[monitor:///var/adm/wtmpx.txt]
index = unix
disabled = 0

and make sure that you have created index of named UNIX in your indexer or search head where ever you are sending your data according to outputs.conf

0 Karma
Reply

gautham_001
New Member
‎05-09-2018 02:33 AM

Hi kannu, thanks for your support on this. I had tried above steps but it did not work, still unable to get the data in splunk. Kindly guide me on this.

0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
Top