Getting Data In

New free license Splunk install running *NIX to see host entries in my syslog server's /var/log

Explorer

Hi.

I have a new 4.1.4 free license install running on a VM. On the same server running Splunk, I have a /var/log that is filled with syslog entries forwarded from other machines and captured by a syslog daemon on the same server.

I would like the *NIX app to load the /var/log data in so that I can see the entries differentiated by host in the app. I could ask Splunk to monitor the /var/log directory, or something, but that might not give me the links on the homepage of the *NIX app that I had when I ran *NIX under the enterprise license.

I understand that I am supposed to run a manual search but I don't know how to configure *NIX to find the log files, et cetera, under the free version. I think I will need to "bulk load" the /var/log data, because there's just so much of it.

Tags (4)
0 Karma

Explorer

It looks like the four Data Inputs created by *NIX, including the Files and Directory Data Input for the /var/log directory, were disabled inside the Manager. So a quick click on 'enable' for each got me halfway there. I had a few custom logs sitting in the directory, so I modified the whitelist regex to include patterns for the names of the files, and now I'm all set!

Explorer

NEVER MIND! The Data inputs created for the *NIX app were disabled for some reason.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!