I installed splunk 4.2.3 and I want to monitor statistics of BIND 9.7.2 (DNS) queries through it. I used SPLUNK FOR BIND application and installed it in splunk panel, but in dashboard I can't see any graph and splunk shows me this (in more info link):
search sourcetype=named eventtype=named_event host="" named_query_type="" | timechart count by host usenull="f" useother="f"
It seems that splunk can't find BIND log files and events.
I made a props.conf file and put it in /opt/splunk/etc/apps/named/local. its content is:
[named] pulldown_type = true maxDist = 3 TIME_FORMAT = %b %d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 32 TRANSFORMS = syslog-host REPORT-syslog = syslog-extractions SHOULD_LINEMERGE = False [source::/var/named/data/named.log] sourcetype=named
what is the problem in drawng DNS graphs?
Have you defined any inputs and actually indexed any bind data yet? I see you put a
[source::/var/log/named...] stanza in
props.conf. Do you actually have a matching
[monitor::] stanza in
inputs.conf that is pulling the data in?
I recommend taking a look at the Getting Data In chapter of the docs, specifically the section on monitoring files and directories. These should get you started on getting the data into splunk so you can use the app on it.