Able to see the system logs but cannot see the remote logs (in the same server) where the log files are installed.
My log files are installed on Server "A". I am using free splunk version 6.6.3
I can see the system files of "A" but cannot see the remote files in "A" (path remains same)
let me understand:
I can think that ServerA is the Splunk Enterprise Server and you can index local logs and you would index logs from other servers (remote logs).
How these remote servers send their logs to Splunk Enterprise: did you used a Splunk Universal Forwarder installed on there servers or other methods (e.g. syslog or other)?
Anyway you should read http://docs.splunk.com/Documentation/Splunk/6.6.3/Data/WhatSplunkcanmonitor and define how to ingest remote logs.
Let me understand:on ServerA do you have Splunk Enterprise or Universal forwarder? in other words: ServerA is a Splunk server or a target server?
If it's a target server you cannot use it to see logs: UF doesn't have a web interface.
If instead is a Splunk Server, you don't need UF on this server because Splunk Server can ingest local logs.
What are remote logs?
Server A ---> Universal forwarder which has the logs deployed.
Server B ----> Splunk installed which is free version 6.6.3
Now, we are just testing the ingestion part for which we can see the data related to system logs in server A but at the same time we are unable to see the other logs (which are copy pasted here).
I mean, have copied logs from B and pasted in A. How to see the complete logs of both servers in Splunk while searching.
you have to add into the inputs.conf file of ServerA (Forwarder) another stanza to take this logs.
inputs.conf is in $SPLUNKHOME/etc/system/local or in $SPLUNKHOME/etc/apps/your_TA/local
An example of this stanza could be (for log files located in /tmp/mytestfiles)
[monitor:///tmp/my_test_files/*] index = my_test_index sourcetype = my_test_sourcetype disabled = 0
You can identify logs from the source fields.
If this answer satisfies your question, please accept or upvote it.