Getting Data In

How to create an outputs.conf file for access and error logs?

splgeek
Explorer

how do I got about creating an outputs.conf file for

/var/log/nginx/access.log
/var/log/nginx/error.log

thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

You have to configure inputs.conf with two stanzas like this:

[monitor:///var/log/nginx/access.log]
disabled=0
index=your_index
sourcetype=access

[monitor:///var/log/nginx/error.log]
disabled=0
index=your_index
sourcetype=error

Inputs.conf is localized in $SPLUNK_HOME/etc/system/local or $SPLUNK_HOME/etc/apps/yourapp/local
for details see http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf

outputs.conf isn't used to ingest logs, but to address the logs to forward to your indexes (see http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Outputsconf).

Bye.
Giuseppe

0 Karma

skoelpin
SplunkTrust
SplunkTrust

The only purpose of outputs.conf is to define where the forwarder should send the data to. So if you want the data from the above 2 log files, you will define this in your SPLUNK_HOME/etc/system/local/inputs.conf file then create an outputs.conf file in the same directory and have it point to your indexer(s)

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Outputsconf

splgeek
Explorer

where do i define this paths in the output.confs file?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Your inputs.conf will look like this

[default]
host = YOUR_HOSTNAME

[monitor:///var/log/nginx/access.log]
disabled = false
sourcetype = YOUR_SOURCETYPE
index = YOUR_INDEX

[monitor:///var/log/nginx/error.log]
disabled = false
sourcetype = YOUR_SOURCETYPE
index = YOUR_INDEX

Your outputs.conf will look like this

[tcpout]
defaultGroup = xxx.xx.xx.xxx_9997

[tcpout:xxx.xx.xx.xxx_9997]
server = xxx.xx.xx.xxx:9997

[tcpout-server://xxx.xx.xx.xxx:9997]

Where the x' s represent your indexer IP address

This will be under /etc/system/local

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...