I turned off the syslog server running alongside Splunk and configured Splunk to listen on 514. It indexed the forwarded syslog data it received as if it came from the syslog server on which Splunk is installed. So I turned off listening on 514, and turned on the syslog daemon on the syslog server, to run alongside Splunk. However, Splunk is not processing new files added to /var/log on the syslog server. It shows the same number of entries present for the machines from which the syslog data was forwarded as it did before I turned on 514 listening on Splunk.
All this time I have been using the Unix plug-in to browse my data, if that is significant.
depends, if you are creating the input stanza for /var/log to go to the OS index, then the unix app should be seeing those files, otherwise, if the /var/log is sending the syslog data to the main (default) index then you wont be able to see if from the OS index (without some changes)
By default when you are in the unix app, you are searching the OS index. (index=os)
Try going to the search app, and see if you see the syslog data. Otherwise, try index=* in the unix app and see if you see the syslog data.
If this doesnt work for you, then please show a bit more info, like your inputs.conf stanza for the syslog data. (/var/log) etc..
Noah, you can ask another question with more specifics but what you want to do can be achieved using props/transforms.conf. Check the following: http://www.splunk.com/base/Documentation/4.1.4/Admin/Advancedsourcetypeoverrides
Thank you for your help. I decided, since I had to switch to the free license anyway, to just rip out the old, put in the newest version, and switch to the free license immediately. Now I have a different problem, bulk-loading the /var/log files I have sitting elsewhere on the disk into the splunk *NIX app in such a way that it properly identifies hosts listed in the logs.