Re: Linux log formatting

rriley · ‎05-29-2012

Can't seem to get Splunk to interpret the RHEL syslog data.
I have tried several different formats:
syslog
linux_syslog_messages
Still only get this:

--splunk-cooked-mode-v3--\x00/x00... forever

Any ideas on this?

I am formatting the forwarding server the same as the indexer.

Ayn · ‎05-29-2012

Your forwarder is sending Splunk cooked data to the indexer, but the port you've configured to the indexer is a regular raw TCP input, not an input for receiving cooked data. You need to remove the TCP input (Manager » Data inputs » TCP) and instead configure a Splunk receiver (Manager » Forwarding and receiving » Receive data) on the same port.

rriley · ‎05-29-2012

forwarder inputs.conf

host=myhost
[monitor:///var/log/messages]
followTail=0
disabled=false
sourcetype=syslog

forwarder outputs.conf

[tcpout]
defaultGroup=myhost_9997
server=myhost
[tcpout:myhost_9997]
autoLB=true
server=myhost:9997

for some reason there is nothing but the server name in the /local/inputs.conf file (odd). I am printing what i see in the manager gui. I have re-statted splunk...

indexer

inputs tcp 9997
Source - accept connections from all hosts yes
no source name override
sourcetype manual syslog

Ayn · ‎05-29-2012

Give us details on the setup. From what you pasted it sounds like you've setup a TCP listener on the indexer but you're forwarding splunktcp data from a Splunk forwarder.

Linux log formatting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation