Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Eating Nagios event logs without installing Splunk for Nagios app

grijhwani
Motivator
‎07-29-2013 09:14 AM

I have hunted high and low for documentation of appropriate sourcetypes.conf and props.conf stanzas for the Nagios event logs, without installing the SplunkForNagios app. I don't want all the fancy stuff, just to index the event-logs for incident investigation. I have created the index, and now I want to do a one-shot import of an existing log (which I know how to do), but I want the indexing and extraction properties right before I do.

Trouble is, when it comes to understanding props, sourcetypes, and transforms I am a complete novice. My only Splunk experience lies in searches, basic server installation, and log/storage management. Field extraction I can do interactively, after the fact, once I have some sample logs indexed.

I am puzzled because I downloaded and extracted the SplunkForNagios app to dissect it, and there is no indexes.conf, no inputs.conf and no sourcetypes.conf. That really threw me. How the heck is it to determine where to get the logs from or to?

0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎07-29-2013 01:20 PM

grijhwani,

I'm not familiar with the Nagios app, but often app developers will leave the index and input creation up to the user rather than assume to know what will work best for each environment. One customer may have all of their data in the main index. Another may split data into multiple indexes.

As such, they don't specify indexes within saved searches or eventtypes. This makes them less efficient, but more likely to match a greater number of users.

As for sourcetypes, what to name sourcetypes is usually subjective. If you aren't using the app, name it what you will, as long as the corresponding props.conf file references the correct name.

Hope that helps!

0 Karma
Reply

grijhwani
Motivator
‎01-22-2014 04:22 AM

Resurrecting my interest in this topic, my concern is not how to name things which is (as you say) entirely subjective and influenced by whatever naming hierarchy one is used to. My interest is in the substance of the type declarations to gain the maximum benefit from having the logs indexed to begin with.

0 Karma
Reply

grijhwani
Motivator
‎07-29-2013 01:14 PM

I'm on the right track by myself. More detail when I finally get there.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...