Getting Data In
Highlighted

How to edit my configuration files to index nginx data in Splunk?

New Member

I have set up a new server, and I'm trying to get nginx access logs into splunk. This is not working.
These are my config files:

cat inputs.conf

[monitor:///var/log/nginx/access.log]
disabled = false
sourcetype = access

[monitor:///var/log/nginx/error.log]
disabled = false
sourcetype = error

[default]
host =hostname

outputs.conf

[tcpout-server://hostname:8089]

[deployment-client]
clientName = qpp-nginx

[target-broker:deployment-server]
targetUri = hostname:8089

I am not seeing any errors in the Splunk logs, although the Splunk agent is running

Splunk btool check reports, but detects no errors

If I do a search for sourcetype=access.log nothing comes up, neither host="ip address" or host="hostname"

0 Karma
Highlighted

Re: How to edit my configuration files to index nginx data in Splunk?

Motivator

Hello @marcrsplunk,

change the receiver (tcpout-server) port. 8089 is the splunkd port that is used for inter-splunk communication, not for receiving.

check on the splunk indexer which port is used for listener:

splunk display listen

if you see "receiving is disable" then you need to enable it with:

splunk enable listen 9997

or using UI.

Let me know if it works for you.

Good luck!

0 Karma
Highlighted

Re: How to edit my configuration files to index nginx data in Splunk?

New Member

Examples of outputs.conf
The following outputs.conf example contains three stanzas for sending data to Splunk receivers.

Global settings. In this example, there is one setting, to specify a defaultGroup.
Settings for a single target group consisting of two receivers. Here, we specify a load-balanced target group consisting of two receivers.
Settings for one receiver within the target group. In this stanza, you can specify any settings specific to the mysplunkindexer1 receiver.
[tcpout]
defaultGroup=my
indexers

[tcpout:myindexers]
server=mysplunk
indexer1:9997, mysplunk_indexer2:9996

[tcpout-server://mysplunk_indexer1:9997]

0 Karma
Highlighted

Re: How to edit my configuration files to index nginx data in Splunk?

New Member

try btool with debug:

example:

inputs list monitor:///var/log/nginx/error.log --debug

and also try

inputs list monitor:///var/log/nginx/error.log --debug | grep

https://docs.splunk.com/Documentation/Splunk/8.0.3/Troubleshooting/Usebtooltotroubleshootconfigurati...

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.