Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I put a custom log file in $SPLUNK_HOME/var/log/splunk?

joxley
Path Finder
‎01-06-2015 06:41 AM

I have a scripted input that writes diagnostic information out to /var/log/myscript.log. I have a monitor on that file sending it to the main index with the sourcetype myscript_log for debugging purposes.

Is is appropriate to put the file in $SPLUNK_HOME/var/log/splunk/myscript.log?

Will this file be automatically sucked into splunk?

If so will it go into _internal?

If not, is it appropriate to put it in _internal?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎01-06-2015 06:48 AM

Hi joxley,

sure you can do this, by default you have a inputs monitor like this:

[monitor:///opt/splunk/var/log/splunk]
index = _internal

so your log will end up in index=_internal as well. But keep in mind that the default retention for _internal is only 30 days.

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎01-06-2015 06:48 AM

Hi joxley,

sure you can do this, by default you have a inputs monitor like this:

[monitor:///opt/splunk/var/log/splunk]
index = _internal

so your log will end up in index=_internal as well. But keep in mind that the default retention for _internal is only 30 days.

cheers, MuS

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎01-06-2015 07:40 AM

remember that :
- splunk will not manage your log, it only rotated the ones defined in the .../etc/log.cfg
- and that this input does not work on universal and lightweight forwarders (that use a special output filter and keys to drop all data except splunkd.log)

Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...