- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to capture Solaris /var/adm/wtmpx data in spl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to capture Solaris /var/adm/wtmpx data in splunk ?
Got a request to capture Solaris /var/adm/wtmpx data in splunk. For testing purpose, downloaded the Splunk Add-on for UNIX and Linux from splunk base 5.2.4 and created a app called Test-IA-wtmpx and deployed via deployment server to remote Solaris test machine. With the following configuration details:
/opt/splunk/etc/apps/Test-IA-wtmpx/
/bin/ before deploying to remote Solaris machine lastlog.sh who.sh executable are given required permission by executing the "chmod +x" on the .sh files
Created a local directory with below configuration in the inputs.conf
**Testing to pull the data file wtmpx**
#Shows current user sessions
[script://./bin/who.sh]
sourcetype = who
source = who
interval = 150
index = unix
disabled = 0
# Shows last login time for users who have ever logged in
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
index = unix
disabled = 0
[monitor:///var/adm/wtmpx]
index = unix
disabled = 0
In forwarder management console Test-IA-wtmpx app was enabled and the restart option was also kept enabled, so that whenever the app is reloaded from DP instance the app should get restarted.
But still, I could not see the data being ingested in to splunk by executing the below simple query.
index=unix source="/var/adm/wtmpx.txt" host=node1
Can any one correct me if this is not the correct procedure to capture the wtmpx data in splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey any help on this will be much appreciated !!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please provide logs of your splunkd.log file by greping ExecProcessor on that file .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cat $SPLUNK_HOME/opt/splunkforwarder/var/log/splunk/splunkd.log | grep -i " ExecProcessor"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your last monitor entry is i think incorrect
It should be
for all the file text file
[monitor:///var/adm/*.txt]
index = unix
disabled = 0
for particular file text file
[monitor:///var/adm/wtmpx.txt]
index = unix
disabled = 0
and make sure that you have created index of named UNIX in your indexer or search head where ever you are sending your data according to outputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kannu, thanks for your support on this. I had tried above steps but it did not work, still unable to get the data in splunk. Kindly guide me on this.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
