Solved: Can I put a custom log file in $SPLUNK_HOME/var/lo...

joxley · ‎01-06-2015

I have a scripted input that writes diagnostic information out to /var/log/myscript.log. I have a monitor on that file sending it to the main index with the sourcetype myscript_log for debugging purposes.

Is is appropriate to put the file in $SPLUNK_HOME/var/log/splunk/myscript.log?

Will this file be automatically sucked into splunk?

If so will it go into _internal?

If not, is it appropriate to put it in _internal?

MuS · ‎01-06-2015

Hi joxley,

sure you can do this, by default you have a inputs monitor like this:

[monitor:///opt/splunk/var/log/splunk]
index = _internal

so your log will end up in index=_internal as well. But keep in mind that the default retention for _internal is only 30 days.

cheers, MuS

View solution in original post

MuS · ‎01-06-2015

Hi joxley,

sure you can do this, by default you have a inputs monitor like this:

[monitor:///opt/splunk/var/log/splunk]
index = _internal

so your log will end up in index=_internal as well. But keep in mind that the default retention for _internal is only 30 days.

cheers, MuS

yannK · ‎01-06-2015

remember that :
- splunk will not manage your log, it only rotated the ones defined in the .../etc/log.cfg
- and that this input does not work on universal and lightweight forwarders (that use a special output filter and keys to drop all data except splunkd.log)

Can I put a custom log file in $SPLUNK_HOME/var/log/splunk?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms