Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unix App and searching Unix Logs

nmcbride
Engager
‎04-09-2011 12:37 AM

So once you have the unix app installed, one of the things it does is monitors /var/log. However you can't seem to search the logs as if you add /var/log as a directory input. And since it is already monitored, you can't add it again. How do you fix this?

Tags (2)
Reply

sideview
SplunkTrust
SplunkTrust
‎04-11-2011 07:09 PM

I think the difficulty arises in that the unix app puts the events into index="os".

1) Try adding index="os" to your search. I bet you'll be able to see the events then.

2) Go to Manager > Authentication > Roles, and you can edit some or all of your roles such that index'os' is implicitly included when searches are run. Be careful though - there are two index sections on those pages and they look different but they do very different things.

Reply

LCM
Contributor
‎04-09-2011 10:29 AM

If a directory is already added (/var/log), there is no need to add it again. Once added means, it monitors ANY files in there. In the search app, it shouldn't be a problem now to search for evens stored in /var/log although the directory has been added by *nix app.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...