Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Not able to read

sibanandapani1
Explorer
‎10-09-2014 01:13 PM

Could you please help me in getting file?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎10-10-2014 02:15 AM

Few problems here:

By default, there is no index called audit_index.

But more importantly, the way splunk handles the audit file is.. black magic. The events are put directly into the indexing queue, and also written out the file. We never read the data from the file into the index. In order to make this work, we have a rule that arranges for the audit.log data to be null routed when tailed.

Options:

  • monitor the file under another name, such as via a symbolic link.
  • Don't do this at all, and simply use forwarding/distributed search to see the data.

View solution in original post

Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎10-10-2014 02:15 AM

Few problems here:

By default, there is no index called audit_index.

But more importantly, the way splunk handles the audit file is.. black magic. The events are put directly into the indexing queue, and also written out the file. We never read the data from the file into the index. In order to make this work, we have a rule that arranges for the audit.log data to be null routed when tailed.

Options:

  • monitor the file under another name, such as via a symbolic link.
  • Don't do this at all, and simply use forwarding/distributed search to see the data.
Reply
Solved! Jump to solution

sibanandapani1
Explorer
‎10-10-2014 01:46 PM

Symbolic link is able to read the file, which is pointing to same file. But why not the same file directly, any reason for so?

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎10-10-2014 02:25 PM

The reason is to avoid having that data in the index twice. The mechanism is as already stated. Please do not adjust the mechanism, it will make you sad.

0 Karma
Reply
Solved! Jump to solution

sibanandapani1
Explorer
‎10-10-2014 02:34 PM

Got you. Sorry to bother much but I am not understanding one point here.

Just curious to know file which we are not able to monitor from an another instance of splunk, can be monitored through symbolic link which is pointing to the same file. It will be really helpful for me, if you can let me know a bit more deeply.

Thanks a lot in advance.

0 Karma
Reply
Solved! Jump to solution

sibanandapani1
Explorer
‎10-10-2014 11:33 AM

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...