Splunk dashboard creation from .log file

Question

I am trying to create a dashboard from the splunk logs. The logs are in .log file extension how can we retrieve the data from the log file and create a table in dashboard

The log file has json data with key and value attibute.

Is there any way we can publish the data inside the log into dashboard ?

Answer 1

Install a Splunk Universal Forwarder on the server where the logs reside. Define an input for the .log files. In $SPLUNK_HOME/etc/app//local/inputs.conf

[monitor:///<path to files>/*.log]
sourcetype = foo
index = bar

Define properties for the data on the indexer(s). In $SPLUNK_HOME/etc/apps//props.conf:

[foo]
KV_MODE = json
# The following require examining sample events to determine the values
TIME_PREFIX = ^
TIME_FORMAT = 
MAX_TIMESTAMP_LOOKAHEAD = 
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)

The above will get the data into Splunk. To put it in a dashboard, you must search for it. When the search returns the desired results, save it into a dashboard by clicking the "Save as" link.