I'm trying to get to grips with splunk to evaluate it for a company I work for.. I'm having trouble doing some basic tasks though. I've read quite a bit of the documentation and understand splunk from a high level. It looks like it should be a beautiful solution.
I want a basic set up to start with. I would like to just index 4 Apache tom cat access logs (Apache's IIS Logs).
I've installed Splunk on a local machine and created a local folder to drop the files into (we have 4 servers for an application, each creating 1 log per day).
I've setup a data input via web interface (added a regex expression for the host too).
I see from $SPLUNK_HOME/en-GB/manager/search/data/inputs/monitor the Data Input I added and it says 4 under the Number of files
But I don't see anything for those 4 files under the Sources, Source types and Hosts when I look here: $SPLUNKHOME/en-GB/app/search/dashboardlive
So to me, it doesn't look like the files have been indexed for searching? I could do with knowning how you monitoring loading(indexing) to see when a file have been parsed, indexed and with what host, source, source type and how the events look for those files?
Another thing I was looking into was the inputs.conf file, in Splunk\etc\system\local, I believe once I set up a datainput it should add a monitoring line in here? But It looks a little empty with just several one liners and looks nothing like the file from
In a nutshell, if you are in an app, let's say the search app, and then you go to manager/data inputs, the inputs.conf will be located in $SPLUNK_HOME\etc\apps\search\local. If you are in another app, the inputs.conf will be in another apps local directory. Are you on a linux box?
Go to $SPLUNK_HOME\etc\apps and search using Windows Explorer for inputs.conf files.
Nothing is every going to be in the directories that you listed above for your use cases.
C:\Program Files\Splunk\etc\apps>find . -name "inputs.conf" -print
Access denied - .
File not found - -NAME
File not found - -PRINT
User WIndows Explorer and search for inputs.conf. I thought linux, but you are on Windows.
Why don't you post something useful and constructive. Make the thread useful for others...
I now just run searches on indexies being indexed to. Normally a count of all requests per day and just hope splunk has indexed all the events properly (or as I expect).