For a variety of reasons I'm not able to push all of our syslog data to splunk. I can, however, easily generate daily logwatch reports which can either be placed into a directory, emailed, or whatever is needed to get them over to the splunk server. That part is easy. What I'm not sure of is how to go about getting splunk to eat each report as a single report and be able to generate useful reports on the data.
To put it a bit simpler, I get about 100 or so logwatch reports right now and that number is just increasing. What I'd like to do is use splunk to process these reports and generate a unified report with some basic statistics and a section for "these things are broke/unknown" so I can scan one report instead of 100.
Has anyone done this? Any hints on where to begin to get this implemented?
Thanks!
... View more