Hi @dritjon,

let me understand: you configured a syslog-ng or anotehr kind of syslog server that writes the received logs in files of the above folder, is it correct?

The second question is: syslog server in on the same server where Splunk is installed or in a different one?

If in the same server you have to:

• by GUI create a new index (better) or use an existing one (e.g. main) [Settings -- Indexes -- new Index],
• by GUI create a new input [Settings -- Data inputs -- Files & Directories -- New Local File & Directory]
• use your logs in searches

if in different servers, you have to:

• on Splunk Server Configure receiving [Settings -- Forwarding and receiving - Receiving]
• on Splunk Server by GUI create a new index (better) or use an existing one (e.g. main) [Settings -- Indexes -- new Index],
• install a Universal Forwarder on the syslog server
• configure Universal Forwarder to send data to Splunk (https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Configureforwarderswithoutputs.c...)
• configure input on this server (for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/Usingforwardingagents and https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/Monitorfilesanddirectories
• on Splunk Server use your logs in searches

Ciao.

Giuseppe