Getting Data In

How to identify type of log delivery

evelenke
Contributor

Hi Splunkers,

we have centralized syslog collector.
Also many hosts deliver logs via UFs directly.
The same index may contain data delivered from UFs and from syslog inputs.
Also we have DB connectors and APIs.
Is it possible to divide data by type of input? Does Splunk have this kind of inspection?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @evelenke,
you should divide them by source field:

  • syslogs have TCP:port or UDP:port;
  • Universal Forwarder have the file or the script or the module;
  • DB-Connect has db... (I'm not sure about this but you can check easily!).

Ciao.
Giuseppe

0 Karma

evelenke
Contributor

Hi @gcusello ,

everything may be custom - You can set index, source and sourcetype in inputs.conf on UF or DB Connect.
In this case you may\should have a big knowledge base and control everything.

I need something more simplistic like IP addresses or actual hostname of a source where logs were delivered from, is there's any option to track this?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @evelenke,
as you said, IP or hostname could be not useful if you can receive from a server both by Universal Forwarder or syslog.
You can easily identify syslogs (TCP:514 or UDP:514) and DB-Connect (db...), the others are different but they always come from Universal Forwarder.
Another way to identify sources from Universal Forwarders is that you surely have also logs from these servers in _internal.

Ciao.
Giuseppe

0 Karma

nickhills
Ultra Champion

source or sourcetype should be the differentiators.

Is this not sufficent for your needs?

If my comment helps, please give it a thumbs up!
0 Karma

evelenke
Contributor

May be custom

0 Karma

nickhills
Ultra Champion

Can you provide some examples?

If my comment helps, please give it a thumbs up!
0 Karma

evelenke
Contributor

You can set index, source and sourcetype in inputs.conf on UF or DB Connect.
In this case you may\should have a big knowledge base and control everything.

I need something more simplistic like IP addresses or actual hostname of a source where logs were delivered from, is there's any option to track this?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.