Have date separated logs from single host sent wit...

johns3 · ‎10-02-2012

I am sending all of my logs to syslog-ng and then forwarding to Splunk with the universal forwarder. Everything is working great but right now I have each host/device logging to a single file. If i wanted to have a separate log file for each day or month or whatever per host/device using file("/var/log/$HOST/$YEAR/$MONTH/$DAY/ where a new log file for the host is created each day, how would I be able to have the universal forwarder have all of these files sent to the indexer and have them all under the same host in the indexer?

yannK · ‎10-02-2012

First, be aware that the syslog sourcetype is special, it includes an automatic extraction of the host from the event. (see the $SPLUNK_HOME/etc/default/props.conf
So you create an another sourcetype, based on syslog without this host extraction transform.

Second, to extract the host from the path, use the parameter host_segment, see
http://docs.splunk.com/Documentation/Splunk/4.3.4/admin/Inputsconf

Have date separated logs from single host sent with universal forwarder and indexed as single host?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Join the Conversation