- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Unable to find the source file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
I have this source showing in the splunk source=/opt/splunk/var/spool/splunk/singlehost.sample.sav
But when I checked the server I am unable to find this particular file. How is this possible.
If I want to find the source in this case how can I do it. For example if the data is coming through a network port.
Regards,
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the solution at last. These events were generated by an app by splunk SA-Eventgen. We were using PCI compliance app and while installation it seems this app was configured by default. After disabling the app these sample logs disappeared.
I found the solution in the Splunk security app FAQs.
http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#How_do_I_manually_enable_eventgen.3F
But the same is not included in PCI compliance app documentation. Hope splunk sees this and update the PCI compliance app documentation.
Regards,
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the solution at last. These events were generated by an app by splunk SA-Eventgen. We were using PCI compliance app and while installation it seems this app was configured by default. After disabling the app these sample logs disappeared.
I found the solution in the Splunk security app FAQs.
http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#How_do_I_manually_enable_eventgen.3F
But the same is not included in PCI compliance app documentation. Hope splunk sees this and update the PCI compliance app documentation.
Regards,
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to stop the files (/opt/splunk/var/spool/splunk/singlehost.sample.sav) from getting indexed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The data source just says where Splunk got the data from at the time of indexing. It doesn't say anything about the current status of that source.
In your particular case, the source is a file in Splunk's spool directory - files that are put in this directory are immediately deleted after they've been indexed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Easiest thing would be to make whatever is putting the files there in the first place stop what it's doing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to stop the files (/opt/splunk/var/spool/splunk/singlehost.sample.sav) from getting indexed
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
