Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Various sourcetypes but same type of log

attgjh1
Communicator
‎06-26-2012 12:22 AM

here's my situation:

I have 4 kinds of directories. each directory represent a "Source"

nowhere in the logs that are in the directories do they hint about its Source
however, in each directory, the logs are formatted the same way, using the same field extractions.

e.g.

C:\terminalA\errorlog

C:\terminalA\eventslog

C:\terminalB\errorlog

C:\terminalB\eventslog

C:\terminalC\errorlog

C:\terminalC\eventslog

C:\terminalD\errorlog

C:\terminalD\eventslog

I thought of 2 ways to do this:
1. Monitor all 4 directories and place in 2 sourcetype, error and event (based on above example). this saves time on field extractions, BUT, im unable to identify their source (terminal). (or is there any other way to identify source)
2. Monitor each directory separately. However, i have to apply field extractions to each sourcetype which might be a tedious operation if my directory starts to get bigger with more sources.

I wont mind the extra effort, but am posting this question to ask if there is any other way around this situation.

Thanks alot for your responses and thoughts.

Tags (1)
Reply

bwooden
Splunk Employee
Splunk Employee
‎06-26-2012 03:46 AM

You can leverage the same extractions by centrally placing one copy in a transforms.conf and referencing them from multiple REPORT statements in props.conf. If I understand the challenge correctly, it would be best to create two sourcetypes (one for each log format). You can still discern origin location in the search language via the source field. 

sourcetype=custom_error_log source="C:\terminalD\*"

You could even create an eventtype based on source. There are a few other options whose pros & cons are discussed in a similar thread titled: "Way to insert/create field based on source"

Reply

attgjh1
Communicator
‎06-26-2012 06:14 PM

i dont quite understand the transforms.conf explanation.

Thanks for the idea of using "source". ill see if i can mask the paths n get what i want.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...