Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Configuring splunk forwarder. Have duplicate usernames over multiple linux hosts. How to identify unique source?

stu6000
New Member
‎02-16-2015 10:54 PM

I am pulling data from several linux hosts, each host has several users, and i am collecting data from each users llog folder.

host1:
/opt/ABC/log/logfile1
/opt/ABCDEV/log/logfile1

host2:
/opt/ABC/log/logfile1
/opt/ABCLIVE/log/logfile1

This is my config from \Client panel\Dynamic Options:

index=ABC sourcetype=host Logon | dedup source | rex field=source "\/.ABC(?.)\/lo.*" |eval Client=replace(Client,"\d","") | sort auto

Command used to add file to monitor on each host:

/opt/splunkforwarder/bin/splunk add monitor /opt//log/logfile1 -index ABC -sourcetype HOST

The issue is that within Splunk home page, I have HOST , CLIENT
However due to the generic username of 'ABC' on host1 & host2 it is resulting in only one entry for 'Client\source', so im missing a source for host2 ABC user.

Ie:

/opt/ABC/log/logfile1
/opt/ABCDEV/log/logfile1
/opt/ABCLIVE/log/logfile1

Is there a way that i can configure splunk in order to be able to identify the 'generic' user?

Tags (2)
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎02-16-2015 11:12 PM

Your dedup is removing all the duplicated sources if I understand this correctly.

Why not use the host field for these sources? That will be unique... So do something similar as..

index=ABC sourcetype=host Logon | rex field=source "/opt\/(?P<Client>w+))\/" |stats count by host, Client

Your host field will be unique to each event. You can extract the Client name from the path and then do a dedup or stats count on it.. That will give you a unique count of events by host and by Client (username/ path on disk..)

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...