Hi i hope you will be fine.i need your help.i want splunk forwarder only take alert data from logs?how i can tell the splunk forwarder which is called Splunk universal forwarder to take only alert data from logs.let say i have 5000 files of logs ,in which only 1000 files are Alert logs i want only 1000 logs files from splunk forwarder,help me for this issue,i hope you will help me. Thanks in advance
In general, you should not be just pointing your forwarder at a directory in which you have many different kinds of files and ingest them all into one big "sack".
Every type of log files should have their own sourcetype, so splunk knows that, for example /var/log/exim/main.log* are the exim log files (and have to be parsed accordingly) and /var/log/httpd/access.log* are apache httpd files and are treated according to their format.
So in your inputs.conf you should set appropriate definitions of inputs with paths pointing at specific subsets of files. So instead of just [monitor://var/log/*] to get all logs you should have more precisely specified paths like [monitor://var/log/named/*] and so on.
thanks.give me exmaple for inputs.conf i want all the logs from ssh logins in /var/logs tell me syntax for this
let say when new data come in local var/log/ in linux local Machine where splunk forwarder are installed how i know this is a Alert data.give me examples for this.i want alert related to viruses when new virus comeback in var/log directory ,how to tell splunk forward this is a alert data.i know where i can config inputs.cong in system/local folder of splunk forwarder.help me
Hello,
You should create an inputs.conf file that will monitor this directory and collect only the Alert Logs files.
You can create an new app and place the inputs.conf file on the /local/ folder of the app or add this inputs.conf file directly on the $SPLUNK_HOME/etc/system/local/ of your splunk universal forwarder.
Make sure that you will collect only the desired logs if they are in the same directory of the other logs. Also, make sure the user that is running the splunkd process have the right permissions to read this directory.
An example of the inputs.conf file is the following:
[monitor://<YOUR_PATH_TO_ALERT_LOGS]
index = <INDEX_OF_YOUR_DATA>
sourcetype = <SOURCETYPE_OF_YOUR_DATA>
disabled = false
More information could be checked on the official docs: https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Monitorfilesanddirectorieswithinputs.conf