topic Re: Splunk forwarder to add custom fields for multiple logs in Splunk Search

Splunk forwarder to add custom fields for multiple logs

z001k6jr — Thu, 24 Dec 2015 11:15:10 GMT

I have to setup Splunk for 100 servers, each server will have 5-10 JVMs, Each JVM generates 3-4 log files. I would like to index logs to a central Splunk server and along with data , I would also like to send custom fields. so that I can uniquely search JVM logs or different files. for example a NullPinterException in JVM= "ABC" and in log file Server.log or in jms.log.
How can I design the deployment and custom fields?

The deployment looks like the following
Server A->
JVM 1->
server.log
jakarta.log
httpd.log
jms.log
JVM 2->
server.log
jakarta.log
httpd.log
jms.log

Server B->
JVM 3->
server.log
jakarta.log
httpd.log
jms.log
JVM 4->
server.log
jakarta.log
httpd.log

Re: Splunk forwarder to add custom fields for multiple logs

jplumsdaine22 — Thu, 24 Dec 2015 21:24:38 GMT

Just a question, have you run through the spunk tutorial? http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchTutorial/WelcometotheSearchTutorial

Also I recommend you give this a read first as well: http://docs.splunk.com/Documentation/Splunk/6.3.2/Indexer/Howindexingworks

People will definitely give you a hand but having some familiarity with the basics will make it easier of you to get the answers you need

Re: Splunk forwarder to add custom fields for multiple logs

jkat54 — Mon, 28 Dec 2015 15:28:10 GMT

How can I design the deployment and custom fields?

Sorry, but I'm not going to build the solution for you. I recommend you delete this question and only ask specific questions like... I get this error "complete error message" , how can I fix it? Not, I just got a new job as splunk admin and need to know how to setup deployment server and develop applications. The answer to your questions are covered in documentation, best practices, and splunk training sessions. All of which are available to you.

Re: Splunk forwarder to add custom fields for multiple logs

jchampagne_splu — Thu, 07 Jan 2016 18:46:30 GMT

Where are you writing the JVM logs to on the host? What's the full path?

You can use host_regex or host_segment to extract the JVM "hostname" out of the log file path. Splunk would then replace the built-in host field with that value.

http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/Inputsconf