Hello There
I'm trying to index a few Splunk internal logs like splunkd, metrics, web*, audit, etc under /var/log/splunk to another index, however, all the logs are populating in the other index except audit.log
please suggest..
Many Thanks!
I have changed the audit log location in log.cfg (log-local.cfg) to other directory and then able to index it.
Thanks.
I have changed the audit log location in log.cfg (log-local.cfg) to other directory and then able to index it.
Thanks.
Not sure, but, Just a thought, the audit, splunkd logs may be already indexed thru splunk's own internal indexes, isn't ?!?!
Yes, however I'd like to send many UF internal logs to other existing index rather than Splunk own internal index to develop a customized app.