https://community.splunk.com/t5/Getting-Data-In/Configuring-splunk-forwarder-Have-duplicate-usernames-over/m-p/145307#M29650 <P>I am pulling data from several linux hosts, each host has several users, and i am collecting data from each users llog folder.</P> <P>host1:<BR /> /opt/ABC/log/logfile1<BR /> /opt/ABCDEV/log/logfile1</P> <P>host2:<BR /> /opt/ABC/log/logfile1<BR /> /opt/ABCLIVE/log/logfile1</P> <P>This is my config from \Client panel\Dynamic Options:</P> <P>index=ABC sourcetype=host Logon | dedup source | rex field=source "\/.<EM>ABC(?.</EM>)\/lo.*" |eval Client=replace(Client,"\d","") | sort auto</P> <P>Command used to add file to monitor on each host:</P> <P>/opt/splunkforwarder/bin/splunk add monitor /opt//log/logfile1 -index ABC -sourcetype HOST</P> <P>The issue is that within Splunk home page, I have HOST , CLIENT<BR /> However due to the generic username of 'ABC' on host1 &amp; host2 it is resulting in only one entry for 'Client\source', so im missing a source for host2 ABC user.</P> <P>Ie:</P> <P>/opt/ABC/log/logfile1<BR /> /opt/ABCDEV/log/logfile1<BR /> /opt/ABCLIVE/log/logfile1</P> <P>Is there a way that i can configure splunk in order to be able to identify the 'generic' user?</P> Tue, 17 Feb 2015 06:54:11 GMT stu6000 2015-02-17T06:54:11Z https://community.splunk.com/t5/Getting-Data-In/Configuring-splunk-forwarder-Have-duplicate-usernames-over/m-p/145307#M29650 <P>I am pulling data from several linux hosts, each host has several users, and i am collecting data from each users llog folder.</P> <P>host1:<BR /> /opt/ABC/log/logfile1<BR /> /opt/ABCDEV/log/logfile1</P> <P>host2:<BR /> /opt/ABC/log/logfile1<BR /> /opt/ABCLIVE/log/logfile1</P> <P>This is my config from \Client panel\Dynamic Options:</P> <P>index=ABC sourcetype=host Logon | dedup source | rex field=source "\/.<EM>ABC(?.</EM>)\/lo.*" |eval Client=replace(Client,"\d","") | sort auto</P> <P>Command used to add file to monitor on each host:</P> <P>/opt/splunkforwarder/bin/splunk add monitor /opt//log/logfile1 -index ABC -sourcetype HOST</P> <P>The issue is that within Splunk home page, I have HOST , CLIENT<BR /> However due to the generic username of 'ABC' on host1 &amp; host2 it is resulting in only one entry for 'Client\source', so im missing a source for host2 ABC user.</P> <P>Ie:</P> <P>/opt/ABC/log/logfile1<BR /> /opt/ABCDEV/log/logfile1<BR /> /opt/ABCLIVE/log/logfile1</P> <P>Is there a way that i can configure splunk in order to be able to identify the 'generic' user?</P> Tue, 17 Feb 2015 06:54:11 GMT https://community.splunk.com/t5/Getting-Data-In/Configuring-splunk-forwarder-Have-duplicate-usernames-over/m-p/145307#M29650 stu6000 2015-02-17T06:54:11Z https://community.splunk.com/t5/Getting-Data-In/Configuring-splunk-forwarder-Have-duplicate-usernames-over/m-p/145308#M29651 <P>Your dedup is removing all the duplicated sources if I understand this correctly.</P> <P>Why not use the host field for these sources? That will be unique... So do something similar as..</P> <PRE><CODE>index=ABC sourcetype=host Logon | rex field=source "/opt\/(?P&lt;Client&gt;w+))\/" |stats count by host, Client </CODE></PRE> <P>Your host field will be unique to each event. You can extract the Client name from the path and then do a dedup or stats count on it.. That will give you a unique count of events by host and by Client (username/ path on disk..)</P> Tue, 17 Feb 2015 07:12:21 GMT https://community.splunk.com/t5/Getting-Data-In/Configuring-splunk-forwarder-Have-duplicate-usernames-over/m-p/145308#M29651 esix_splunk 2015-02-17T07:12:21Z