Getting Data In

New free license Splunk install running *NIX to see host entries in my syslog server's /var/log

noahjscales
Explorer

Hi.

I have a new 4.1.4 free license install running on a VM. On the same server running Splunk, I have a /var/log that is filled with syslog entries forwarded from other machines and captured by a syslog daemon on the same server.

I would like the *NIX app to load the /var/log data in so that I can see the entries differentiated by host in the app. I could ask Splunk to monitor the /var/log directory, or something, but that might not give me the links on the homepage of the *NIX app that I had when I ran *NIX under the enterprise license.

I understand that I am supposed to run a manual search but I don't know how to configure *NIX to find the log files, et cetera, under the free version. I think I will need to "bulk load" the /var/log data, because there's just so much of it.

Tags (4)
0 Karma

noahjscales
Explorer

It looks like the four Data Inputs created by *NIX, including the Files and Directory Data Input for the /var/log directory, were disabled inside the Manager. So a quick click on 'enable' for each got me halfway there. I had a few custom logs sitting in the directory, so I modified the whitelist regex to include patterns for the names of the files, and now I'm all set!

noahjscales
Explorer

NEVER MIND! The Data inputs created for the *NIX app were disabled for some reason.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...