Hi,
I'm trying to get to grips with splunk to evaluate it for a company I work for.. I'm having trouble doing some basic tasks though. I've read quite a bit of the documentation and understand splunk from a high level. It looks like it should be a beautiful solution.
I want a basic set up to start with. I would like to just index 4 Apache tom cat access logs (Apache's IIS Logs).
I've installed Splunk on a local machine and created a local folder to drop the files into (we have 4 servers for an application, each creating 1 log per day).
I've setup a data input via web interface (added a regex expression for the host too).
I see from $SPLUNK_HOME/en-GB/manager/search/data/inputs/monitor the Data Input I added and it says 4 under the Number of files
But I don't see anything for those 4 files under the Sources, Source types and Hosts when I look here: $SPLUNK_HOME/en-GB/app/search/dashboard_live
So to me, it doesn't look like the files have been indexed for searching? I could do with knowning how you monitoring loading(indexing) to see when a file have been parsed, indexed and with what host, source, source type and how the events look for those files?
Another thing I was looking into was the inputs.conf file, in Splunk\etc\system\local, I believe once I set up a datainput it should add a monitoring line in here? But It looks a little empty with just several one liners and looks nothing like the file from
Splunk\etc\system\default
You should probably take this:
http://docs.splunk.com/Documentation/Splunk/latest/User/WelcometotheSplunktutorial
Most useless thread. EVER.
Why don't you post something useful and constructive. Make the thread useful for others...
I now just run searches on indexies being indexed to. Normally a count of all requests per day and just hope splunk has indexed all the events properly (or as I expect).
You should probably take this:
http://docs.splunk.com/Documentation/Splunk/latest/User/WelcometotheSplunktutorial
User WIndows Explorer and search for inputs.conf. I thought linux, but you are on Windows.
C:\Program Files\Splunk\etc\apps>find . -name "inputs.conf" -print
Access denied - .
File not found - -NAME
File not found - -PRINT
In a nutshell, if you are in an app, let's say the search app, and then you go to manager/data inputs, the inputs.conf will be located in $SPLUNK_HOME\etc\apps\search\local. If you are in another app, the inputs.conf will be in another apps local directory. Are you on a linux box?
Go to $SPLUNK_HOME\etc\apps and search using Windows Explorer for inputs.conf files.
Nothing is every going to be in the directories that you listed above for your use cases.
I'll read through this and see if I get my answers. Thank you for the reply.