I'm running into incomplete documentation or irrelevant situations in trying to understand this, so I need help in straightening my definition of this environment.
I have an instance of Nagios, an instance of Splunk, and a working Livestatus that provides a socket for which data from Nagios can be obtained. I understand that Livestatus can pull information from Nagios such as `echo 'GET hosts'|unixcat /path/to/livestatus/live/socket`. Another additional way of using Livestatus is creating files that contain custom queries which can have an organization of data as well as a filtering of data in order to provide items of relevance and importance and using `unixcat < queryName path/to/livestatus/live/socket`.
However, based on what I've seen Splunk do, it's simply pulling all the information in from Nagios, disregarding the Livestatus Queries. This begs the question of how do I get Splunk to receive filtered data from Nagios so as an example, receive data that a logging service is down and *not* within scheduled down time? Once that data has been filtered, where on Splunk am I able to view the data of that query?
↧