I'm in the process of setting up the Splunk App for Unix and Linux and the Splunk Add-on for Unix and Linux.
I've installed and configured the App via Splunk Web using default settings. I've installed the Add-on on one of my Linux boxes and enabled all of the default inputs using default settings. But I don't have data flowing into the "os" index.
But when I run other queries on other log files , I am getting results (the sourcetype has been defined in /opt/splunkforwarder/etc/apps/search/local/inputs.conf)
[monitor:///var/log/sudo.log]
disabled = false
index = main
sourcetype = sudolog
But the problem is I am unable get data populated for os index.
Can anyone help?
... View more