How to configure logs capture in Splunk

thambijoseph · ‎09-23-2016

Hi,
I am a newbie to splunk and I have a requirement like below.

We are using Weblogic em console to see and download our web application journey logs.
Now as part of our requirement, we need to use Splunk for the logs capturing.
I am not understanding how to start in using the Splunk. I read some documentation on Splunk but did not got any idea where to start from.

Can you please help me out in using Splunk.

Regards,
Joseph.

skoelpin · ‎09-23-2016

Welcome to Splunk Answers @thambijoseph

Splunk is a tool which will ingest logs, index them, parse them, then make them available in a nice user interface which is easy to search and make use it. You can also create fields and use those fields to analyze data and make sense of it.

To start you will need to have a remote host file and monitor a directory where the log files are being generated. Once new data flows into the log files, Splunk will see this and forward them to your indexer which will then index the files. Assuming your indexer is already set up, your first step would be to create an inputs.conf on the remote host and start monitoring a directory to ingest those log files.

thambijoseph · ‎09-26-2016

Hi Skoelpin,

Is there any documentation with step by step process. I read the document but still not understanding how to proceed.

skoelpin · ‎09-26-2016

The below link describes how to start indexing data.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Getstartedwithgettingdatain

Here's a brief description to add onto this.. This is an example of a general setup..
You will have a remote server which will generate log data.. This log data will be under C:\Logs\Data.txt.. You will set up a Splunk forwarder to monitor the path C:\Logs\Data.txt so everytime new data is added to the text file Data.txt, the Splunk forwarder will recognize this and forward it to your central Splunk server (Also known as an indexer) and the indexer will index and parse the data and make it usable in the Splunk GUI. So say Data.txt is a high volume log which has millions of events and you want to know how often people have attempted search for the term "splunk", you could do a search and quickly find out how many people looked for Splunk compared to all the other terms overall. So to set this up, you will need to configure your forwarder on the remote machine. After installing the forwarder, you will need 2 files which will be located in %SPLUNK_HOME%/etc/system/local.. Those 2 files are inputs.conf which will have a stanza and define what index your data will go to and the sourcetype it should have (When you create fields in Splunk , it will be relative to the sourcetype) and an outputs.conf will have information which will point to your indexer so the data knows where to go. It's super easy to install a forwarder and you can look at examples online for the inputs.conf and outputs.conf and copy those then you should be in business

alemarzu · ‎09-23-2016

Hi there,

Just go to Settings > Data Inputs > Files & Directories OR select how to index your input according to your data source. After that, just follow the wizard.

If you have any doubt, don't hasitate.

This will probably help you a lot more, http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Configureyourinputs

thambijoseph · ‎09-26-2016

Hi Alemarzu,

Is there any documentation with step by step process. I read the document but still not understanding how to proceed.

alemarzu · ‎09-26-2016

Hi there mate, sure there is.

In the link that pasted above from Splunk docs if you look at the left side of the web page, you'll see this menu. In there you will find the step by step procedure to index your data.

How to configure logs capture in Splunk

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!