Let’s begin by saying I’m new to Splunk, so don't assume I know something.
I’m thinking about how I should assign the host field in a web farm scenario. Let’s say I have the following set up:
There are two servers, WEB1 and WEB2.
Each server hosts the same web sites (with a load balancer in front, so an HTTP request can go to any server).
There are many web sites per server, say foo.fabricam.com, bar.fabricam.com, and so on.
The default host value would be the server name, right? Would it be better to change it through configuration to the virtual host (foo.fabricam.com) and add a field "server=WEB1", or should I keep the default host and add for instance "vhost=foo.fabricam.com".
I figure the more general server logs, such as event logs and performance counters, are bound to the server name (host=WEB1), so it might be better to keep web site logs alike.
Both the virtual host name and the server host name can be included in most application specific logs. I can also include the virtual host name in the log files path. Also, each web site/virtual host will have its own set of log files (application specific, access logs, etc).
What would you do and why? Is there a good default field name for a web site’s virtual host name?
If you run the Splunk instance in the server, then keep host=WEB* but if you run the Splunk instance inside each VM, then let it be the virtual host. In other words; let Splunk do what it normally would do.