<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Have date separated logs from single host sent with universal forwarder and indexed as single host? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Have-date-separated-logs-from-single-host-sent-with-universal/m-p/77883#M15944</link>
    <description>&lt;P&gt;I am sending all of my logs to syslog-ng and then forwarding to Splunk with the universal forwarder. Everything is working great but right now I have each host/device logging to a single file. If i wanted to have a separate log file for each day or month or whatever per host/device using file("/var/log/$HOST/$YEAR/$MONTH/$DAY/ where a new log file for the host is created each day, how would I be able to have the universal forwarder have all of these files sent to the indexer and have them all under the same host in the indexer?&lt;/P&gt;</description>
    <pubDate>Wed, 03 Oct 2012 05:49:25 GMT</pubDate>
    <dc:creator>johns3</dc:creator>
    <dc:date>2012-10-03T05:49:25Z</dc:date>
    <item>
      <title>Have date separated logs from single host sent with universal forwarder and indexed as single host?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Have-date-separated-logs-from-single-host-sent-with-universal/m-p/77883#M15944</link>
      <description>&lt;P&gt;I am sending all of my logs to syslog-ng and then forwarding to Splunk with the universal forwarder. Everything is working great but right now I have each host/device logging to a single file. If i wanted to have a separate log file for each day or month or whatever per host/device using file("/var/log/$HOST/$YEAR/$MONTH/$DAY/ where a new log file for the host is created each day, how would I be able to have the universal forwarder have all of these files sent to the indexer and have them all under the same host in the indexer?&lt;/P&gt;</description>
      <pubDate>Wed, 03 Oct 2012 05:49:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Have-date-separated-logs-from-single-host-sent-with-universal/m-p/77883#M15944</guid>
      <dc:creator>johns3</dc:creator>
      <dc:date>2012-10-03T05:49:25Z</dc:date>
    </item>
    <item>
      <title>Re: Have date separated logs from single host sent with universal forwarder and indexed as single host?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Have-date-separated-logs-from-single-host-sent-with-universal/m-p/77884#M15945</link>
      <description>&lt;P&gt;First, be aware that the syslog sourcetype is special, it includes an automatic extraction of the host from the event. (see the $SPLUNK_HOME/etc/default/props.conf&lt;BR /&gt;
So you create an another sourcetype, based on syslog without this host extraction transform.&lt;/P&gt;

&lt;P&gt;Second, to extract the host from the path, use the parameter host_segment, see&lt;BR /&gt;
&lt;A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/admin/Inputsconf"&gt;http://docs.splunk.com/Documentation/Splunk/4.3.4/admin/Inputsconf&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 03 Oct 2012 06:35:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Have-date-separated-logs-from-single-host-sent-with-universal/m-p/77884#M15945</guid>
      <dc:creator>yannK</dc:creator>
      <dc:date>2012-10-03T06:35:15Z</dc:date>
    </item>
  </channel>
</rss>

