- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: How to capture Solaris /var/adm/wtmpx data in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to capture Solaris /var/adm/wtmpx data in splunk ?
Got a request to capture Solaris /var/adm/wtmpx data in splunk. For testing purpose, downloaded the Splunk Add-on for UNIX and Linux from splunk base 5.2.4 and created a app called Test-IA-wtmpx and deployed via deployment server to remote Solaris test machine. With the following configuration details:
/opt/splunk/etc/apps/Test-IA-wtmpx/
/bin/ before deploying to remote Solaris machine lastlog.sh who.sh executable are given required permission by executing the "chmod +x" on the .sh files
Created a local directory with below configuration in the inputs.conf
**Testing to pull the data file wtmpx**
#Shows current user sessions
[script://./bin/who.sh]
sourcetype = who
source = who
interval = 150
index = unix
disabled = 0
# Shows last login time for users who have ever logged in
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
index = unix
disabled = 0
[monitor:///var/adm/wtmpx]
index = unix
disabled = 0
In forwarder management console Test-IA-wtmpx app was enabled and the restart option was also kept enabled, so that whenever the app is reloaded from DP instance the app should get restarted.
But still, I could not see the data being ingested in to splunk by executing the below simple query.
index=unix source="/var/adm/wtmpx.txt" host=node1
Can any one correct me if this is not the correct procedure to capture the wtmpx data in splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey any help on this will be much appreciated !!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please provide logs of your splunkd.log file by greping ExecProcessor on that file .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cat $SPLUNK_HOME/opt/splunkforwarder/var/log/splunk/splunkd.log | grep -i " ExecProcessor"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your last monitor entry is i think incorrect
It should be
for all the file text file
[monitor:///var/adm/*.txt]
index = unix
disabled = 0
for particular file text file
[monitor:///var/adm/wtmpx.txt]
index = unix
disabled = 0
and make sure that you have created index of named UNIX in your indexer or search head where ever you are sending your data according to outputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kannu, thanks for your support on this. I had tried above steps but it did not work, still unable to get the data in splunk. Kindly guide me on this.
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
