Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unix App and searching Unix Logs

nmcbride
Engager
‎04-09-2011 12:37 AM

So once you have the unix app installed, one of the things it does is monitors /var/log. However you can't seem to search the logs as if you add /var/log as a directory input. And since it is already monitored, you can't add it again. How do you fix this?

Tags (2)
Reply

sideview
SplunkTrust
SplunkTrust
‎04-11-2011 07:09 PM

I think the difficulty arises in that the unix app puts the events into index="os".

1) Try adding index="os" to your search. I bet you'll be able to see the events then.

2) Go to Manager > Authentication > Roles, and you can edit some or all of your roles such that index'os' is implicitly included when searches are run. Be careful though - there are two index sections on those pages and they look different but they do very different things.

Reply

LCM
Contributor
‎04-09-2011 10:29 AM

If a directory is already added (/var/log), there is no need to add it again. Once added means, it monitors ANY files in there. In the search app, it shouldn't be a problem now to search for evens stored in /var/log although the directory has been added by *nix app.

Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...