Unix App and searching Unix Logs

So once you have the unix app installed, one of the things it does is monitors /var/log. However you can't seem to search the logs as if you add /var/log as a directory input. And since it is already monitored, you can't add it again. How do you fix this?

asked 09 Apr '11, 00:37

nmcbride
11●1
accept rate: 0%

2 Answers:

oldest newest most voted

If a directory is already added (/var/log), there is no need to add it again. Once added means, it monitors ANY files in there. In the search app, it shouldn't be a problem now to search for evens stored in /var/log although the directory has been added by *nix app.

link

answered 09 Apr '11, 10:29

LCM
892●1●11
accept rate: 17%

I think the difficulty arises in that the unix app puts the events into index="os".

1) Try adding index="os" to your search. I bet you'll be able to see the events then.

2) Go to Manager > Authentication > Roles, and you can edit some or all of your roles such that index'os' is implicitly included when searches are run. Be careful though - there are two index sections on those pages and they look different but they do very different things.

link

answered 11 Apr '11, 19:09

nick ♦
14.2k●1●3●18
accept rate: 47%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

app ×206
unix ×77

Asked: 09 Apr '11, 00:37

Seen: 990 times

Last updated: 11 Apr '11, 19:09

Unix App and searching Unix Logs

Follow this question

Splunk Resources

Related questions