Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Changing Syslog Source type for directories
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're using Syslog-ng in our environment and have a forwarder setup on syslog-ng to forward the logs to Splunk. But when they're indexed in Splunk, the sourcetype is "syslog". Is it possible to set this to the actual source type? For example our syslog-ng directory structure looks like such:
/logs/log-type/hostname/
I want to be able to set log-type to be the sourcetype in Splunk. It has to be possible!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would have to set up different monitor stanzas in inputs.conf on the forwarder, e.g.;
[monitor:///logs/nginx/*/]
index = your_index
sourcetype = nginx
host_segment = 3
[monitor:///logs/cisco/*/]
index = your_index
sourcetype = cisco
host_segment = 3
etc etc
If you do not specify sourcetype (which I assume you have not done) Splunk will probably identify and classify it as syslog. And syslog is a sourcetype (the only one I think) where Splunk will automatically extract and set the host for each event in the log individually, i.e. not on a per file basis.
Therefore you will also have to set the host value manually, but the host_segment lets you set this from the path being monitored.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the inputs file, I have this and it worked:
[monitor:///logs/static-httpd-error-log/*/*.log]
sourcetype = static-httpd-error-log
index = main
host_segment = 3
Thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you are most welcome. /k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would have to set up different monitor stanzas in inputs.conf on the forwarder, e.g.;
[monitor:///logs/nginx/*/]
index = your_index
sourcetype = nginx
host_segment = 3
[monitor:///logs/cisco/*/]
index = your_index
sourcetype = cisco
host_segment = 3
etc etc
If you do not specify sourcetype (which I assume you have not done) Splunk will probably identify and classify it as syslog. And syslog is a sourcetype (the only one I think) where Splunk will automatically extract and set the host for each event in the log individually, i.e. not on a per file basis.
Therefore you will also have to set the host value manually, but the host_segment lets you set this from the path being monitored.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This goes on the forwarder? Or should it be on the inputs.conf on the index?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Data Management Digest – May 2026
Index This | What is feather-light but cannot be held long?
.conf26 Registration is Live: Secure Your Early Bird Pass Now
