Deployment Architecture

linux logs to splunk

niranjan28
New Member

Hi Friends,

I am trying to add Linux logs in Splunk, Created server class and added the app details. completed all the basic steps but still i cant find the data in splunk head . below you can find the sample logs from server. Anyone please suggest me config file for the same .

Sample log format :

01:00:07.703 STATUS: TRelease: TRACK: 201907160100NASDAQ_NDE__1000252590 en-synd1_0_3001.hld being marked ready for delivery.
01:00:07.703 STATUS: TRelease: TRACK: Leaving shm_keydist_check_response(): re ady count = 1
01:00:07.703 STATUS: TRelease: TRACK: 1 responses are ready to process.
01:00:07.703 STATUS: TRelease: TRACK: Preparing release files for 201907160100 NASDAQ
NDE____1000252590_en-synd1_0_3001.hld. Received all 1 replies back.
01:00:07.704 STATUS: TRelease: TRACK: prepare_release_list()
01:00:07.704 STATUS: TRelease: TRACK: add_in_serials() Added 2 serial numbers
01:00:07.704 STATUS: TRelease: TRACK: Serial 3001: delivered release file: 201 907160100NASDAQ
NDE____1000252590_en-synd1_0_3001.rls.
01:00:07.706 STATUS: TRelease: TRACK: Serial 3002: delivered release file: 201 907160100NASDAQ
NDE____1000252590_en-synd1_0_3001.rls.
01:00:07.707 STATUS: TRelease: TRACK: shm_keydist_clear_slot_by_id(0) - 201907 160100NASDAQ
NDE____1000252590_en-synd1_0_3001.hld
01:00:07.794 STATUS: TsynDg1-1: TRACK: shm_keydist_update_sent() - 2019071601 00NASDAQ
NDE______1000252594_en-synd1_0_3001.hld
01:00:07.794 STATUS: TsynDg1-1: TRACK: find_slot_by_filename(201907160100NASDA

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Which apps have you included in the server class? Do any of them include inputs.conf? What are the inputs.conf settings? Is there an outputs.conf that tells the forwarder where the indexers are? Have you verified the apps are installed on the forwarder?

---
If this reply helps you, Karma would be appreciated.
0 Karma

jutzasconsist
New Member

Hi niranjan28,
can you please describe your setup?
Is there a Splunk Universal Forwarder sending data to your Indexer?
If yes: Does it get listed in your Monitoring Console correctly?
Kind regards,
Michael

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...