Getting Data In

Able to see the system logs but cannot see the remote logs (in the same server) where the log files are installed.

srividyareddy
New Member

Able to see the system logs but cannot see the remote logs (in the same server) where the log files are installed.

My log files are installed on Server "A". I am using free splunk version 6.6.3
I can see the system files of "A" but cannot see the remote files in "A" (path remains same)

Please help!!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi srividyareddy,
let me understand:
I can think that ServerA is the Splunk Enterprise Server and you can index local logs and you would index logs from other servers (remote logs).
How these remote servers send their logs to Splunk Enterprise: did you used a Splunk Universal Forwarder installed on there servers or other methods (e.g. syslog or other)?
Anyway you should read http://docs.splunk.com/Documentation/Splunk/6.6.3/Data/WhatSplunkcanmonitor and define how to ingest remote logs.
Bye.
Giuseppe

0 Karma

srividyareddy
New Member

Installed universal forwarder on the server.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi srividyareddy,
Let me understand:on ServerA do you have Splunk Enterprise or Universal forwarder? in other words: ServerA is a Splunk server or a target server?
If it's a target server you cannot use it to see logs: UF doesn't have a web interface.
If instead is a Splunk Server, you don't need UF on this server because Splunk Server can ingest local logs.
What are remote logs?
Bye.
Giuseppe

0 Karma

srividyareddy
New Member

Server A ---> Universal forwarder which has the logs deployed.
Server B ----> Splunk installed which is free version 6.6.3

Now, we are just testing the ingestion part for which we can see the data related to system logs in server A but at the same time we are unable to see the other logs (which are copy pasted here).

I mean, have copied logs from B and pasted in A. How to see the complete logs of both servers in Splunk while searching.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi srividyareddy,
you have to add into the inputs.conf file of ServerA (Forwarder) another stanza to take this logs.

inputs.conf is in $SPLUNK_HOME/etc/system/local or in $SPLUNK_HOME/etc/apps/your_TA/local

An example of this stanza could be (for log files located in /tmp/my_test_files)

[monitor:///tmp/my_test_files/*]
index = my_test_index
sourcetype = my_test_sourcetype
disabled = 0

You can identify logs from the source fields.

Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...