http://www.splunk.com/support/forum:SplunkAdministration/3560 Mon, 13 Feb 2012 19:13:08 PST Mon, 13 Feb 2012 19:13:08 PST en-us http://creativecommons.org/licenses/by-nc-nd/2.5/ http://www.splunk.com/support/forum:SplunkAdministration/3560/11556 <p>I see these are only readable by root and the root group, so splunk does have to run as root. You can run &quot;./splunk list monitor&quot; on the command line to see if they are being monitored.</p> <p>Oh, and finally, have you enabled the Unix app? If so, it's sending your logs into a non-default index, which you could see by querying &quot;index=*&quot;. I thought they had stopped doing that to the /var/log files, but I see in my 4.0.5 that it's still doing that.</p> Thu, 12 Nov 2009 21:52:30 PST gkanapathy http://www.splunk.com/support/forum:SplunkAdministration/3560/11556 http://www.splunk.com/support/forum:SplunkAdministration/3560/11532 <p>i am running Splunk 4.0.6 with a demo enterprise license and am having problems adding several syslog generated files into splunk.</p> <p>I use syslog to store remote syslog streams from routers on our network.</p> <p>I am trying to monitor all of these files:<br /> -rw-r----- 1 root root 2522 2009-11-12 07:53 network-comwaves-cm-rtr-200911.log<br /> -rw-r----- 1 root root 198699 2009-11-12 10:53 network-comwaves-i35-rtr-200911.log<br /> -rw-r----- 1 root root 178 2009-11-11 01:33 network-volznet-140th-rtr-200911.log<br /> -rw-r----- 1 root root 2972 2009-11-12 08:58 network-volznet-lh-rtr-200911.log<br /> -rw-r----- 1 root root 489128 2009-11-12 10:53 <a class="wiki_url_new" href="/base/VolzFirewall">VolzFirewall</a>-200911.log<br /> xeon1:/var/log/network #</p> <p>I have created all of the data input files entries in the web interface:<br /> Full path on server Set host Source type Index Number of files App Enabled Actions<br /> /var/log/network/network-comwaves-cm-rtr-* Constant Value Automatic default search <br /> | Disable Clone | Delete<br /> /var/log/network/network-comwaves-i35-rtr-* Constant Value Automatic default search <br /> | Disable Clone | Delete<br /> /var/log/network/network-volznet-140th-rtr-* Constant Value Automatic default search <br /> | Disable Clone | Delete<br /> /var/log/network/network\-comwaves\-i35\-rtr\-* Constant Value Automatic default search <br /> | Disable Clone | Delete<br /> $SPLUNK_HOME/etc/apps/sample_app/logs Constant Value sendmail sample 2 sample_app <br /> | Disable Clone<br /> $SPLUNK_HOME/var/log/splunk Constant Value Automatic _internal 18 system <br /> | Disable Clone<br /> /var/log/mail Constant Value Automatic default search <br /> | Disable Clone | Delete<br /> /var/log/messages Constant Value Automatic default search <br /> | Disable Clone | Delete<br /> /var/log/network/network-volznet-lh-rtr-* Constant Value Automatic default search <br /> | Disable Clone | Delete<br /> /var/log/network/<a class="wiki_url_new" href="/base/VolzFirewall">VolzFirewall</a>-* Constant Value Automatic default 1 search <br /> | Disable Clone | Delete</p> <p>However only the syslog messages, mail and Volzfirewall entries are working. I have tried on one entry &quot;i35-rtr&quot; to use \- thinking the &quot;-&quot; might be a special character that needs to be escaped, but that did not help either.</p> <p>Any directions to see what I'm doing wrong as to why these files aren't being indexed?</p> Thu, 12 Nov 2009 09:03:58 PST TheCowStir http://www.splunk.com/support/forum:SplunkAdministration/3560/11532