Splunk Search

How to find where logs are coming from and where they are being monitored?

JoeSco27
Communicator

I am seeing logs in an instance of splunk, but i am unsure where the monitoring is set up. I checked my serverclass.conf and the servers were not listed on the whitelist. I checked my deployment monitor app and see 3 apps deployed to the server (my deploymentclient.conf app, my outputs.conf app, and windows app) when i check out each app there is no monitoring stanza for these logs I see in Splunk. I try to make a new serverClass but the logging that is already in place is taking priority and i cant format the logs.

Can someone help out with useful troubleshooting tricks or advice if they have seen this before?

0 Karma

bmacias84
Champion

If you are trying to figure out how which app contains the setting which are being set use btool.

./splunk cmd btool --debug inputs list
or
./splunk cmd btool --debug deploymentclient list

Also search your _internal index for downloads from your deployment server. The peer field should have ip address of the host in question with which serverclasses are being applied.

index=_internal PackageDownloadRestHandler

I am assuming you are sending your deployment server logs to your indexers and your are running 6.3 or higher.

0 Karma

rlaan
Path Finder

Not a splunk tool but if you are running on a *nix system, I usually run a command similar to this when trying to locate where files are coming from (sometimes transforms will rename sources so the inputs file wont contain the required information as to what is running the monitor, it is worth looking into transforms.conf if inputs.conf did not provide the source).

$ find /opt/splunk/etc -iname "*.conf" | xargs grep -Hni --color ""

this will search through all of the conf files under etc, return any lines to you the the search term was found in as well as displaying the path to the file it came from and the line number within that file. Easily my favorite command for searching systems I am unfamiliar with. Hope this help!

0 Karma

Raghav2384
Motivator

usually source metafield will hold the location of the data source. index=|stats count by source should give you all the sources that are contributing to your splunk installation. Note : Assuming you have access to index= 🙂
Hope this helps.

Thanks,
Raghav

0 Karma

JoeSco27
Communicator

I can see the source from which the log file is coming from, but as the sysAdmin I never set up monitoring for that source. I am trying to understand where in the config files this monitoring has been set up as I cannot see anything to do with it in my deployment-server's serverclass.conf or in my apps that include my inputs.conf.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...