Solved: How do I get my first log message?

netroworx · ‎01-04-2017

I have setup Universal forwarder on my Windows Server 2016 machine.

I have setup the Universal forwarder credentials to point to my Splunk Cloud.

By default shouldn't I now be getting data from the splunkd.log file?

Regards,

Greg

skalliger · ‎01-05-2017

You can always check your metrics.log on your Universal Forwarder installation to check whether data is being sent. Otherwise, you can of course search for index=_internal and also specify host=xyz if you'd like to.

The other Spluk logs are also monitored, not only the splunkd.log. 🙂

View solution in original post

skalliger · ‎01-05-2017

You can always check your metrics.log on your Universal Forwarder installation to check whether data is being sent. Otherwise, you can of course search for index=_internal and also specify host=xyz if you'd like to.

The other Spluk logs are also monitored, not only the splunkd.log. 🙂

netroworx · ‎01-05-2017

index=_internal shows a number of records.
Some of the records show a host of WIN2016 which is the machine I'm monitoring but when I search on host=WIN2016 I get no results.

netroworx · ‎01-05-2017

Data Summary shows: "Waiting for results..."

netroworx · ‎01-05-2017

If I search:
index=_internal host=WIN2016

I get results so I guess internal events are filtered out by default.

skalliger · ‎01-09-2017

Glad to hear you're receiving data. 🙂

How do I get my first log message?

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

How do I get my first log message?

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!