Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to view the entire syslog or kiosk log file?

ginger8990
Explorer
‎10-03-2014 02:19 PM

I am new to splunk. We found some challenging issue with splunk.
we imported some logs as files and directories data input but I didn't see the option to see the whole log . This log is either syslog or kiosk log ==text file.

Can I see the whole log by just double click the log link?

Tags (2)
0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎10-04-2014 06:03 PM

There is no guarantee of being able to see the whole original logfile in splunk.

The value of splunk is that you don't have to think about the event stream in terms of "a set of files" anymore, because the events occurring don't really care what file syslog put them in.

If you have rolling logs where each day (or hour, etc) you have a current file that is named my_file.log, then all the events that are written do this file will show up as source=my_file.log, for each copy of the file day after day, so there is no easy way to pull the events that were in a specific copy of that file.

Also, people may perform data modification or filtering on its way into splunk through the TRANSFORMS mechanism or other approaches.

That said, if you want to see the data you have from the file, you can simply run a search on

source=/path/to/your/filename.log

or more typically

source=/path/to/your/filename.log host=a_hostname

to ensure you're looking at the data from one system, instead of possibly events from many systems.

0 Karma
Reply

ginger8990
Explorer
‎10-05-2014 08:01 AM

Thanks for the reply. Where to start these commands? At GUI interface or command prompt?

I installed splunk on Windows with GUI interface.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...