Hi, i would to like to ask:
1. Where do I find the log files that are being forwarded from an universal forwarder on the machine installed with Splunk Enterprise ?
Hi @James8,
all the logs from UFs are in the Indexes. they are indexed and stored in in buckets with all the indexes that Splunk uses to search them; you haven't forwarded log files, only indexed logs in Indexes.
To understand how splunk indexes logs, you can see at https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes
Ciao.
Giuseppe
Hi @James8,
all the logs from UFs are in the Indexes. they are indexed and stored in in buckets with all the indexes that Splunk uses to search them; you haven't forwarded log files, only indexed logs in Indexes.
To understand how splunk indexes logs, you can see at https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes
Ciao.
Giuseppe
Ok thanks! Am i able to generate raw log files from these indexed logs?
Hi @James8,
you already have _raw logs!
you have to run a search on the index where you stored logs (e.g. index=my_index) and see logs.
probably you should see the Splunk Documentation about how Splunk works:
https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain
Ciao.
Giuseppe
P.S.: Karma Points are appreciated 😉