Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I monitor two access logs at once without using the regular host\source\sourcetype properties

shacham
Explorer
‎09-10-2013 07:48 AM

Hi,

Lets say I have 2 environments(TEST\PROD),
And in each one I have 2 brands with 2 diffrent access logs:
access-brand1.log, access-brand2.log

I'm trying to monitor them both but I'm already using my 'source' for the environments.
('host' and 'sourcetype' are also taken)
Is there any way I can still tell splunk to monitor them separately?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mloven_splunk
Splunk Employee
Splunk Employee
‎09-12-2013 07:21 AM

I'd suggest leaving source to the default (the name of the file (or network port) that the data comes from). This will give the ability to search on individual file names.

To define logical groups within your environment, you can use tags as Anthony suggested.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mloven_splunk
Splunk Employee
Splunk Employee
‎09-12-2013 07:21 AM

I'd suggest leaving source to the default (the name of the file (or network port) that the data comes from). This will give the ability to search on individual file names.

To define logical groups within your environment, you can use tags as Anthony suggested.

0 Karma
Reply
Solved! Jump to solution

mloven_splunk
Splunk Employee
Splunk Employee
‎09-11-2013 07:24 AM

If both logs are in the access_combined format, you can just tell Splunk that they're access_combined logs.

[monitor:///path/to/access-brand1.log]
index = myindex
sourcetype = access_combined

[monitor:///path/to/access-brand2.log]
index = myindex
sourcetype = access_combined

The above stanzas should work.

0 Karma
Reply
Solved! Jump to solution

mloven_splunk
Splunk Employee
Splunk Employee
‎09-15-2013 10:48 AM

And while that isn't "wrong", it's not really what source was meant for.

From the docs:

Source -
A default field that identifies the source of the event. In the case of data monitored from files and directories, source consists of the full pathname of the file or directory. In the case of a network-based source, the source field consists of the protocol and port, such as UDP:514.

0 Karma
Reply
Solved! Jump to solution

shacham
Explorer
‎09-12-2013 03:21 AM

But I'm already using my 'source' for the environments...
for example: source=PROD

0 Karma
Reply
Solved! Jump to solution

mloven_splunk
Splunk Employee
Splunk Employee
‎09-11-2013 08:02 AM

index=myindex sourcetype=access_combined source="/path/to/access-brand2.log"

EDITED to correct index...

0 Karma
Reply
Solved! Jump to solution

shacham
Explorer
‎09-11-2013 07:56 AM

But then how I can filter between the two?
If I want to search only in access-brand2.log, How can I tell splunk to do it?

0 Karma
Reply
Solved! Jump to solution

mloven_splunk
Splunk Employee
Splunk Employee
‎09-10-2013 12:37 PM

shacham,

I'm not really sure what you're asking. Maybe you can clarify?

If you want to monitor both files, you can do something like this:

[monitor:///path/to/access-brand1.log]
index = myindex
sourcetype = brand1_access

[monitor:///path/to/access-brand2.log]
index = myindex
sourcetype = brand2_access
0 Karma
Reply
Solved! Jump to solution

shacham
Explorer
‎09-11-2013 12:39 AM

This is one solution, but I'm trying to use diffrent solutions beacuse I want to use automatically recognized source types(pretrained) like:'access_combined'.
Splunk already knows how to properly index pretrained source types and I think it's good practice to use it.

0 Karma
Reply
Solved! Jump to solution

treinke
Builder
‎09-10-2013 08:22 AM

How about setting up tags?

http://docs.splunk.com/Documentation/Splunk/5.0.4/Knowledge/Abouttagsandaliases
http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Tagsconf

You can use tags to:
  • Help you track abstract field values, like IP addresses or ID numbers. For example, you could have an IP address related to your main office with the value 192.168.1.2. Tag that IPaddress value as mainoffice, and then search on that tag to find events with that IP address.
  • Use one tag to group a set of field values together, so you can search on them with one simple command. For example, you might find that you have two host names that relate to the same computer. You could give both of those values the same tag. When you search on that tag, Splunk returns events involving both host name values.
  • Give specific extracted fields multiple tags that reflect different aspects of their identity, which enable you to perform tag-based searches that help you quickly narrow down the results you want. To understand how this could work, see the following example.
There are no answer without questions
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...