I'm trying to configure Splunk to analyze logs coming from ClamAV. I have a shared folder where the logs are coming in. On the machine where the shared folder is located, I set the universalforwarder to monitor that folder with this command: /opt/splunkforwarder/bin/splunk add monitor /shared/avlogs/ -index clamav -sourcetype clamav Now it's happening that when I try to search index="clamav" _raw="*FOUND*" I don't get results everytime, but depends on the content of the logfile, like if the parsing was not done correctly. What am I missing?
... View more