Hi, ive got a task to do but im complete newbie in splunk. So could you guys help me?
I have to send to splunk logs which have names like this " Crif.mc.Loader.log.2020-11-10" and every day it makes a new file like this.
Inside the log it looks like this:
:55:51,428 INFO LoaderLogger - subj_lien
2020-11-10 23:55:51,428 INFO LoaderLogger - subj_lien_debt
2020-11-10 23:55:51,428 INFO LoaderLogger - subj_lien_deposit
So how can i easily send all these logs every day into splunk? Could you please write it in "splunkfordummies" style? 😄
Hi @Glace ,
Some things need to be considered:
- What kind of OS is runing in the host where the logs are located?
- Is there already data being sent from that device(s) to Splunk?
- Which version of Splunk are you running: Version Nr? Cloud or On-Prem?
- Are Splunk and the source VM running in the same network?
But basically, the most common way is to use a Universal Forwarder and monitor the folder where these log files are located.
The time/date should be recognized by Splunk without any further configurations.
Install this:
https://www.splunk.com/en_us/download/universal-forwarder.html
Configure as described here:
https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Monitorfilesanddirectorieswithinputs.conf
BR
Ralph
Station where the logs are runs on windows 10.
Forwarder is there already but i dont know how to configure him for this specific event.
Main splunk server is also running on windows 10.
We have our own server here so splunk we running is on-prem with the same network as the forwarder client.
Alright, quick and dirty is to add the following stanza to the file
$SPLUNK_HOME/etc/system/local/inputs.conf
and restart the forwarder
[monitor://C:\path\to\your\logfile\]
disabled = 0
index = <indexname>
sourcetype = <sourcetype>
Note:
Hope this helps.
BR
Ralph