- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- linux logs to splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
linux logs to splunk
Hi Friends,
I am trying to add Linux logs in Splunk, Created server class and added the app details. completed all the basic steps but still i cant find the data in splunk head . below you can find the sample logs from server. Anyone please suggest me config file for the same .
Sample log format :
01:00:07.703 STATUS: TRelease: TRACK: 201907160100NASDAQ_NDE__1000252590 en-synd1_0_3001.hld being marked ready for delivery.
01:00:07.703 STATUS: TRelease: TRACK: Leaving shm_keydist_check_response(): re ady count = 1
01:00:07.703 STATUS: TRelease: TRACK: 1 responses are ready to process.
01:00:07.703 STATUS: TRelease: TRACK: Preparing release files for 201907160100 NASDAQNDE____1000252590_en-synd1_0_3001.hld. Received all 1 replies back.
01:00:07.704 STATUS: TRelease: TRACK: prepare_release_list()
01:00:07.704 STATUS: TRelease: TRACK: add_in_serials() Added 2 serial numbers
01:00:07.704 STATUS: TRelease: TRACK: Serial 3001: delivered release file: 201 907160100NASDAQNDE____1000252590_en-synd1_0_3001.rls.
01:00:07.706 STATUS: TRelease: TRACK: Serial 3002: delivered release file: 201 907160100NASDAQNDE____1000252590_en-synd1_0_3001.rls.
01:00:07.707 STATUS: TRelease: TRACK: shm_keydist_clear_slot_by_id(0) - 201907 160100NASDAQNDE____1000252590_en-synd1_0_3001.hld
01:00:07.794 STATUS: TsynDg1-1: TRACK: shm_keydist_update_sent() - 2019071601 00NASDAQNDE______1000252594_en-synd1_0_3001.hld
01:00:07.794 STATUS: TsynDg1-1: TRACK: find_slot_by_filename(201907160100NASDA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which apps have you included in the server class? Do any of them include inputs.conf? What are the inputs.conf settings? Is there an outputs.conf that tells the forwarder where the indexers are? Have you verified the apps are installed on the forwarder?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi niranjan28,
can you please describe your setup?
Is there a Splunk Universal Forwarder sending data to your Indexer?
If yes: Does it get listed in your Monitoring Console correctly?
Kind regards,
Michael
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
