topic Re: Search by host (all indexed data Hosts list) in Getting Data In

Search by host (all indexed data Hosts list)

mudricd — Tue, 13 Apr 2010 18:53:59 GMT

Hi,

I have syslog_ng server (sles 10). Everything is logged in this way:

/var/log/HOSTS/xx-yy/hostname or ip/log file

I have 10 syslog clients and everything works fine. Folder for every host is created...

Then i installed splunk and cofigured data inputs /var/log/HOSTS

When i go to splunk>search in all indexed data under sources i have all my log files but in Hosts section i have only one host, my sles syslog server where all messages are stored together.

I would like to have all my syslog clients under Hosts section to browse messages separately by client (host). Is it possible?

Thanks in advanced

Dragan

Re: Search by host (all indexed data Hosts list)

the_wolverine — Tue, 13 Apr 2010 19:02:53 GMT

Hi Dragan,

If you configure for this input, set host = segment in path, it should automatically figure out your syslog hosts. Since the input has already been created you won't be able to edit it from the UI. However, you can modify the monitor input directly in $SPLUNK_HOME/etc/.../local/inputs.conf:

[monitor:///var/log/HOSTS]
host_segment = 5
sourcetype = syslog

Re: Search by host (all indexed data Hosts list)

mudricd — Tue, 13 Apr 2010 19:47:47 GMT

Thanks a lot man!
Everything works fine now!
My hosts are finally showing up 🙂