Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

where splunk store syslog data?

channy
Explorer
‎05-23-2011 02:24 AM

I install splunk and add syslog port as the input data. i wonder where splunk store the syslog that it received? Do splunk differentiate between the syslog message and the indexed data?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎05-23-2011 06:57 AM

No, it does not differentiate. All data processed by Splunk - be it syslog data, files being read, or other network sockets - is stored in various Splunk indexes. The syslog message IS the indexed data.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎05-23-2011 06:57 AM

No, it does not differentiate. All data processed by Splunk - be it syslog data, files being read, or other network sockets - is stored in various Splunk indexes. The syslog message IS the indexed data.

Reply
Solved! Jump to solution

channy
Explorer
‎05-24-2011 11:44 PM

thanks imrago...very helpful tool....
thanks dwaddle for the clarification....

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎05-24-2011 06:28 AM

Any data Splunk indexes is stored in an index data structure called a bucket. The internal format of Splunk's buckets is proprietary to the product - so you can't (easily) go poking about inside of a bucket trying to read and understand it.

If you wish to have other software work with your log data, there are some options. Imrago's suggestion of using rsyslog first (and letting splunk read the files it makes) is a good one. Also, you can configure splunk to forward events over a TCP socket to thirs party software.

0 Karma
Reply
Solved! Jump to solution

imrago
Contributor
‎05-24-2011 02:48 AM

You could instead of directly ingesting syslog messages into Splunk to first store in a file remote syslog events, using for example rsyslog (http://www.rsyslog.com/storing-messages-from-a-remote-system-into-a-specific-file/), and to point Splunk to that file.

Reply
Solved! Jump to solution

channy
Explorer
‎05-24-2011 01:58 AM

thanks for the confirmation. and where is this data stored? Is this meaning that i can't use the syslog messages that Splunk received with other syslog software?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...

Data Management Digest – January 2026

Welcome to the January 2026 edition of Data Management Digest! Welcome to the January 2026 edition of Data ...

Splunk SOAR Now Available on Google Cloud Platform

We’re excited to announce that Splunk SOAR is now natively available as a SaaS solution on Google Cloud ...