Getting Data In

Edited inputs.conf file, where can I find the log files or can I bring up the results through command line

mahmudomer
Engager

Hi,

I am using Splunk on Ubuntu and edited the inputs.conf file to look at an IP address which I hope is working.

I want to look in the log file to test if its working but I am unable to locate which log files it would be located in.

Also if someone could post part of their inputs.conf file just so I can make sure I am inputting the stanza correctly that would be amazing.

Any help would be appreciated.
Thanks.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

That'll listen for TCP data on port 23, so connection attempts without any data aren't going to show. This is for an application sending you splunkable data as a TCP stream.

Instead, you should get your local firewall to log these attempts and splunk the firewall logs.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you didn't specify an index then they will end up in index=main. Look for tcp, that IP, and that port in the source field.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That'll listen for TCP data on port 23, so connection attempts without any data aren't going to show. This is for an application sending you splunkable data as a TCP stream.

Instead, you should get your local firewall to log these attempts and splunk the firewall logs.

0 Karma

mahmudomer
Engager

Thanks Someoni2, thats very helpful.

Hi Martin,
This is my inputs.conf posted.

[default]
host = mahmud-X551CA

[tcp-ssl:]

[tcp:192.168.1.88:23]

Which I think may have been incorrect accroding to the file that someoni2 posted.

And sorry for the bad description of look at an IP adress. I should of said look for any data recieved from a specific IP Address.

I am currently doing a university project and I am trying to find out how Splunk can alert me if any connections or data is received from specific IP addresses without using any apps.

Thanks.

0 Karma

mahmudomer
Engager

Thanks Martin,
I will use it both ways and see if their is a difference on how Splunk displays the ouput. One more question, where do I find the logs to display these specific results. I have quite a lot of log files but they do not seem to be reffereing to the rule that I have set.

0 Karma

somesoni2
Revered Legend

You can see the example inputs.conf from the documentation. See this
http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/Inputsconf#inputs.conf.example

You can search questions with "inputs.conf" to see more samples in this forum.

martin_mueller
SplunkTrust
SplunkTrust

Do post your inputs.conf settings - for example, I'm not quite sure what you mean by "look at an IP address".

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...