Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create an outputs.conf file for access and error logs?

splgeek
Explorer
‎10-24-2016 01:29 PM

how do I got about creating an outputs.conf file for

/var/log/nginx/access.log
/var/log/nginx/error.log

thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-24-2016 11:55 PM

You have to configure inputs.conf with two stanzas like this:

[monitor:///var/log/nginx/access.log]
disabled=0
index=your_index
sourcetype=access

[monitor:///var/log/nginx/error.log]
disabled=0
index=your_index
sourcetype=error

Inputs.conf is localized in $SPLUNK_HOME/etc/system/local or $SPLUNK_HOME/etc/apps/yourapp/local
for details see http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf

outputs.conf isn't used to ingest logs, but to address the logs to forward to your indexes (see http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Outputsconf).

Bye.
Giuseppe

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎10-24-2016 01:34 PM

The only purpose of outputs.conf is to define where the forwarder should send the data to. So if you want the data from the above 2 log files, you will define this in your SPLUNK_HOME/etc/system/local/inputs.conf file then create an outputs.conf file in the same directory and have it point to your indexer(s)

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Outputsconf

Reply

splgeek
Explorer
‎10-24-2016 01:44 PM

where do i define this paths in the output.confs file?

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎10-24-2016 01:48 PM

Your inputs.conf will look like this

[default]
host = YOUR_HOSTNAME

[monitor:///var/log/nginx/access.log]
disabled = false
sourcetype = YOUR_SOURCETYPE
index = YOUR_INDEX

[monitor:///var/log/nginx/error.log]
disabled = false
sourcetype = YOUR_SOURCETYPE
index = YOUR_INDEX

Your outputs.conf will look like this 

[tcpout]
defaultGroup = xxx.xx.xx.xxx_9997

[tcpout:xxx.xx.xx.xxx_9997]
server = xxx.xx.xx.xxx:9997

[tcpout-server://xxx.xx.xx.xxx:9997]

Where the x' s represent your indexer IP address

This will be under /etc/system/local

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Top