Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Forwarding a scripted input from /var/log/messages

aschoen
New Member
‎11-07-2012 09:52 PM

I am trying to forward input from a universal forwarder to a regular Splunk installation on my desktop.

The universal forwarder was installed on a linux webapp server where I configured the inputs.conf (in the /etc/system/local dir) to take a scripted input (basically a bash script with a tail command of /var/log/messages piped to grep for a keyword). That is the only input I have configured in local. I restarted, checked logs, etc.

Unforunately I don't see the source, sourcetypes, or host for the linux webapp in the search homepage. I DO see the three windows hosts I installed a forwarder on, however they are pulling a log file for a client service. I feel like I am missing something somewhere. I tested the script for output, which it does. I double checked the syntax in input.conf. Im looking at the splunkd.log and I see the default directives:

TailingProcessor - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk
etc..

I do not see my script://tail_daemon.sh directive.

I'm not sure where else to look for errors.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎11-07-2012 11:06 PM

Note that the file name is inputs.conf, not input.conf. That could be your problem. But if that's not it, read on...

As a test, ask the universal forwarder to monitor a regular file, instead of just running a scripted input. For example, on the desktop, create an index named test and then

On the linux web app server, add the following to your inputs.conf:

[monitor:///var/log/messages]
index=test
sourcetype=messages

Restart the universal forwarder. See if you are getting any data into the the test index on your desktop. (Just search for index=test. If you get the data, then something is wrong with your script. If you don't get the data, then something is probably wrong with your forwarder configuration.

Look here for help troubleshooting your forwarder: http://splunk-base.splunk.com/answers/465/ive-set-up-a-forwarder-but-im-not-receving-any-events-on-t...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...