Getting Data In

Have date separated logs from single host sent with universal forwarder and indexed as single host?

johns3
Path Finder

I am sending all of my logs to syslog-ng and then forwarding to Splunk with the universal forwarder. Everything is working great but right now I have each host/device logging to a single file. If i wanted to have a separate log file for each day or month or whatever per host/device using file("/var/log/$HOST/$YEAR/$MONTH/$DAY/ where a new log file for the host is created each day, how would I be able to have the universal forwarder have all of these files sent to the indexer and have them all under the same host in the indexer?

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

First, be aware that the syslog sourcetype is special, it includes an automatic extraction of the host from the event. (see the $SPLUNK_HOME/etc/default/props.conf
So you create an another sourcetype, based on syslog without this host extraction transform.

Second, to extract the host from the path, use the parameter host_segment, see
http://docs.splunk.com/Documentation/Splunk/4.3.4/admin/Inputsconf

Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...