Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Logs forwarded from universal forwarder

James8
Explorer
‎01-15-2021 03:06 AM

Hi, i would to like to ask: 

1. Where do I find the log files that are being forwarded from an universal forwarder on the machine installed with Splunk Enterprise ? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-15-2021 03:31 AM

Hi @James8,

all the logs from UFs are in the Indexes. they are indexed and stored in in buckets with all the indexes that Splunk uses to search them; you haven't forwarded log files, only indexed logs in Indexes.

To understand how splunk indexes logs, you can see at https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-15-2021 03:31 AM

Hi @James8,

all the logs from UFs are in the Indexes. they are indexed and stored in in buckets with all the indexes that Splunk uses to search them; you haven't forwarded log files, only indexed logs in Indexes.

To understand how splunk indexes logs, you can see at https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

James8
Explorer
‎01-19-2021 04:01 PM

Ok thanks! Am i able to generate raw log files from these indexed logs?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-20-2021 04:40 AM

Hi @James8,

you already have _raw logs!

you have to run a search on the index where you stored logs (e.g. index=my_index) and see logs.

probably you should see the Splunk Documentation about how Splunk works:

https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...