Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create an outputs.conf file for access and error logs?

splgeek
Explorer
‎10-24-2016 01:29 PM

how do I got about creating an outputs.conf file for

/var/log/nginx/access.log
/var/log/nginx/error.log

thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-24-2016 11:55 PM

You have to configure inputs.conf with two stanzas like this:

[monitor:///var/log/nginx/access.log]
disabled=0
index=your_index
sourcetype=access

[monitor:///var/log/nginx/error.log]
disabled=0
index=your_index
sourcetype=error

Inputs.conf is localized in $SPLUNK_HOME/etc/system/local or $SPLUNK_HOME/etc/apps/yourapp/local
for details see http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf

outputs.conf isn't used to ingest logs, but to address the logs to forward to your indexes (see http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Outputsconf).

Bye.
Giuseppe

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎10-24-2016 01:34 PM

The only purpose of outputs.conf is to define where the forwarder should send the data to. So if you want the data from the above 2 log files, you will define this in your SPLUNK_HOME/etc/system/local/inputs.conf file then create an outputs.conf file in the same directory and have it point to your indexer(s)

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Outputsconf

Reply

splgeek
Explorer
‎10-24-2016 01:44 PM

where do i define this paths in the output.confs file?

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎10-24-2016 01:48 PM

Your inputs.conf will look like this

[default]
host = YOUR_HOSTNAME

[monitor:///var/log/nginx/access.log]
disabled = false
sourcetype = YOUR_SOURCETYPE
index = YOUR_INDEX

[monitor:///var/log/nginx/error.log]
disabled = false
sourcetype = YOUR_SOURCETYPE
index = YOUR_INDEX

Your outputs.conf will look like this 

[tcpout]
defaultGroup = xxx.xx.xx.xxx_9997

[tcpout:xxx.xx.xx.xxx_9997]
server = xxx.xx.xx.xxx:9997

[tcpout-server://xxx.xx.xx.xxx:9997]

Where the x' s represent your indexer IP address

This will be under /etc/system/local

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...