The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: Unable to index files

Previous Topic: Multiple different credentials  |   Next Topic: Examples of monitoring disk usage, reporting invalid logins etc.


Posts 1–2 of 2
1
posted by: TheCowStir  |  posts
date: November 12, 2009
permalink

i am running Splunk 4.0.6 with a demo enterprise license and am having problems adding several syslog generated files into splunk.

I use syslog to store remote syslog streams from routers on our network.

I am trying to monitor all of these files:
-rw-r----- 1 root root 2522 2009-11-12 07:53 network-comwaves-cm-rtr-200911.log
-rw-r----- 1 root root 198699 2009-11-12 10:53 network-comwaves-i35-rtr-200911.log
-rw-r----- 1 root root 178 2009-11-11 01:33 network-volznet-140th-rtr-200911.log
-rw-r----- 1 root root 2972 2009-11-12 08:58 network-volznet-lh-rtr-200911.log
-rw-r----- 1 root root 489128 2009-11-12 10:53 VolzFirewall-200911.log
xeon1:/var/log/network #

I have created all of the data input files entries in the web interface:
Full path on server Set host Source type Index Number of files App Enabled Actions
/var/log/network/network-comwaves-cm-rtr-* Constant Value Automatic default search
| Disable Clone | Delete
/var/log/network/network-comwaves-i35-rtr-* Constant Value Automatic default search
| Disable Clone | Delete
/var/log/network/network-volznet-140th-rtr-* Constant Value Automatic default search
| Disable Clone | Delete
/var/log/network/network\-comwaves\-i35\-rtr\-* Constant Value Automatic default search
| Disable Clone | Delete
$SPLUNK_HOME/etc/apps/sample_app/logs Constant Value sendmail sample 2 sample_app
| Disable Clone
$SPLUNK_HOME/var/log/splunk Constant Value Automatic _internal 18 system
| Disable Clone
/var/log/mail Constant Value Automatic default search
| Disable Clone | Delete
/var/log/messages Constant Value Automatic default search
| Disable Clone | Delete
/var/log/network/network-volznet-lh-rtr-* Constant Value Automatic default search
| Disable Clone | Delete
/var/log/network/VolzFirewall-* Constant Value Automatic default 1 search
| Disable Clone | Delete

However only the syslog messages, mail and Volzfirewall entries are working. I have tried on one entry "i35-rtr" to use \- thinking the "-" might be a special character that needs to be escaped, but that did not help either.

Any directions to see what I'm doing wrong as to why these files aren't being indexed?

2
posted by: gkanapathy  |  posts
date: November 12, 2009
permalink

I see these are only readable by root and the root group, so splunk does have to run as root. You can run "./splunk list monitor" on the command line to see if they are being monitored.

Oh, and finally, have you enabled the Unix app? If so, it's sending your logs into a non-default index, which you could see by querying "index=*". I thought they had stopped doing that to the /var/log files, but I see in my 4.0.5 that it's still doing that.