Monitoring Splunk

monitor log file macOs

YANN84
New Member

i have recently installed Splunk entreprise to play with it a little and I am trying to get the monitor my log files or CPU activity on my mac but I am unable to unable to create to have a vizualisation once everything is loaded. Here is wht I do :

Settings/data inputs/files & directory/ 

From this menu I click on new to add a new thing to monitor. Then I I browse to the file and diredtory I want to monitor which is inside the following path:

   Applications/Utilities/ActivityMonotor.app/Contents/MacOs/Activity Monitor

Once this loaded O am still unable to have a visualization. I am inside the right folder /file or that is not the way I monitor files on Splunk?

Tags (1)
0 Karma

afamoyib
Path Finder

There is actually an app from splunk that monitors nix environments. You can review the inputs.conf file to get the information you want. But since it is your os, i will suggest deploy it and you can see all the information you want from your os and add to it.

https://splunkbase.splunk.com/app/833/

Splunk TA NIX

0 Karma

Herman
Explorer

Why there is nothing happened when I click 'save' for setting of the add-on? I am still trying to figure out how to use the add-on.

0 Karma

Richfez
SplunkTrust
SplunkTrust

I think the file you are monitoring is not a log file? Is that the actual executable that runs the Activity Monitor?

In recent versions of OSX, Apple has made this hard. They built a new logging mechanism that's binary (like systemd in *nix) but haven't gotten around to building a conversion-to-text utility. Or at least one that will run automatically all the time. Here's an answer that may [not] help on trying to ingest that logging.

If nothing else, that hopefully will help you find an answer. When/if you do, please update us!

(Also, it's very possible someone's figured out a good way to do this, they just haven't seen this question yet!)

0 Karma

YANN84
New Member

Thanks; I think that's the problem. I'll try on my windows first then try to figure it out on my mac.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI @YANN84,

When you configuring the file, you have selected "File" by clicking on the browse button.After clicking next button you were asked for "Set Source Type". At this point do you able to find any events in event bar??
If yes then try below search in all time to verify the data.

source="*YOUR_FILE_NAME*" sourcetype="YOUR_SOURCE_TYPE"

OR

source="*YOUR_FILE_NAME*" 

OR

sourcetype="YOUR_SOURCE_TYPE"

If you found data then there is no problem in file monitoring. if found then check below link.

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/MonitorfilesanddirectorieswithSplunkWeb

If we able to monitor file and still not able to see any visualization then next we have to check fields which are used in visualization panels are properly extracted or not. To verify this we can check execute above search OR any visualization's search and check extracted filed in a Left side panel. If we are not able to see then there is a problem with extraction. Please see below link.

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/ExtractfieldsinteractivelywithIFX

I hope this will help you.

Happy Splunking

0 Karma

YANN84
New Member

thanks . I seem to see where my problem is, but still not able to sort it. My source is set to default and I have changed the app context to Monitoring console from Search & Reporting. I do not think my files is being read properly. My event looks odd , similar to this :

 xCF\xFA\xCD ... 

and lots of zeros; absolutely horrrendous...

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...