Have date separated logs from single host sent wit...

johns3 · ‎10-02-2012

I am sending all of my logs to syslog-ng and then forwarding to Splunk with the universal forwarder. Everything is working great but right now I have each host/device logging to a single file. If i wanted to have a separate log file for each day or month or whatever per host/device using file("/var/log/$HOST/$YEAR/$MONTH/$DAY/ where a new log file for the host is created each day, how would I be able to have the universal forwarder have all of these files sent to the indexer and have them all under the same host in the indexer?

yannK · ‎10-02-2012

First, be aware that the syslog sourcetype is special, it includes an automatic extraction of the host from the event. (see the $SPLUNK_HOME/etc/default/props.conf
So you create an another sourcetype, based on syslog without this host extraction transform.

Second, to extract the host from the path, use the parameter host_segment, see
http://docs.splunk.com/Documentation/Splunk/4.3.4/admin/Inputsconf

Have date separated logs from single host sent with universal forwarder and indexed as single host?

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Have date separated logs from single host sent with universal forwarder and indexed as single host?

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk