Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Edited inputs.conf file, where can I find the log files or can I bring up the results through command line

mahmudomer
Engager
‎12-11-2014 09:49 AM

Hi,

I am using Splunk on Ubuntu and edited the inputs.conf file to look at an IP address which I hope is working.

I want to look in the log file to test if its working but I am unable to locate which log files it would be located in.

Also if someone could post part of their inputs.conf file just so I can make sure I am inputting the stanza correctly that would be amazing.

Any help would be appreciated.
Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-11-2014 03:52 PM

That'll listen for TCP data on port 23, so connection attempts without any data aren't going to show. This is for an application sending you splunkable data as a TCP stream.

Instead, you should get your local firewall to log these attempts and splunk the firewall logs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-12-2014 08:34 AM

If you didn't specify an index then they will end up in index=main. Look for tcp, that IP, and that port in the source field.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-11-2014 03:52 PM

That'll listen for TCP data on port 23, so connection attempts without any data aren't going to show. This is for an application sending you splunkable data as a TCP stream.

Instead, you should get your local firewall to log these attempts and splunk the firewall logs.

0 Karma
Reply
Solved! Jump to solution

mahmudomer
Engager
‎12-11-2014 02:10 PM

Thanks Someoni2, thats very helpful.

Hi Martin,
This is my inputs.conf posted.

[default]
host = mahmud-X551CA

[tcp-ssl:]

[tcp:192.168.1.88:23]

Which I think may have been incorrect accroding to the file that someoni2 posted.

And sorry for the bad description of look at an IP adress. I should of said look for any data recieved from a specific IP Address.

I am currently doing a university project and I am trying to find out how Splunk can alert me if any connections or data is received from specific IP addresses without using any apps.

Thanks.

0 Karma
Reply
Solved! Jump to solution

mahmudomer
Engager
‎12-12-2014 07:13 AM

Thanks Martin,
I will use it both ways and see if their is a difference on how Splunk displays the ouput. One more question, where do I find the logs to display these specific results. I have quite a lot of log files but they do not seem to be reffereing to the rule that I have set.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-11-2014 11:14 AM

You can see the example inputs.conf from the documentation. See this
http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/Inputsconf#inputs.conf.example

You can search questions with "inputs.conf" to see more samples in this forum.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-11-2014 01:45 PM

Do post your inputs.conf settings - for example, I'm not quite sure what you mean by "look at an IP address".

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top