×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
doadams85
Observer
Member since: ‎11-14-2023
‎11-15-2023
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-14-2023
View All

Re: Aggregating syslogs and forwarding to splunk a...

by in Getting Data In
‎11-15-2023 12:39 PM
‎11-15-2023 12:39 PM
Hi Guiseppe, Yes to all you mention. The data gets into splunk but ONLY the log aggregator shows up as a host on the search window on the left. I need all the hosts showing up.  If I search using the other hostnames I can see the logfile from that host - just doesn't show as a host on the left. Make sense?  ... View more

Re: Aggregating syslogs and forwarding to splunk a...

by in Getting Data In
‎11-15-2023 10:04 AM
‎11-15-2023 10:04 AM
Thanks for the reply. Unfortunately that is not an option as we need to keep the logs from all the servers and they all live on giant RAMDISK's and when the system is shutdown it all goes away except for this one host. I was hoping that we can somehow massage the data (Heavy forwarder maybe?) on the log aggregator and push it to splunk with the correct hostname somehow? ... View more

Re: Aggregating syslogs and forwarding to splunk a...

by in Getting Data In
‎11-15-2023 07:13 AM
‎11-15-2023 07:13 AM
Hi All - Any ideas on what I posted? ... View more

Aggregating syslogs and forwarding to splunk as ho...

by in Getting Data In
‎11-14-2023 03:17 PM
‎11-14-2023 03:17 PM
Hi All - Pretty new to Splunk and having an issue sorting/parsing data from our syslog server. We have many rhel7 linux hosts all sending their logs to one server where they get aggregated. This works fine. I can go into /var/log/secure, messages, etc. and see entries from all the hosts we have. We are running a splunkforwarder on this host with the hopes that it would be forwarding all the data to splunk as it hits the this rhel7 log aggregator. We just have a single head/indexer, and if I run a query "index="*" I do get quite a bit of results, BUT it only shows 2 hosts, the splunk instance and the rhel7 system that we are aggregating the logs on. If I change the search to "index="*" hostname"  with the hostname being one of the rhel hosts, I can find the entries specific to that host. I hope this makes sense? So somehow I need to tell Splunk about these hosts so they are recognized as separate hosts. What can I do to make this work? Thank you all in advance!   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-15-2023 10:34 AM