Hi Splunkers,
we have centralized syslog collector.
Also many hosts deliver logs via UFs directly.
The same index may contain data delivered from UFs and from syslog inputs.
Also we have DB connectors and APIs.
Is it possible to divide data by type of input? Does Splunk have this kind of inspection?
Hi @evelenke,
you should divide them by source field:
Ciao.
Giuseppe
Hi @gcusello ,
everything may be custom - You can set index, source and sourcetype in inputs.conf on UF or DB Connect.
In this case you may\should have a big knowledge base and control everything.
I need something more simplistic like IP addresses or actual hostname of a source where logs were delivered from, is there's any option to track this?
Hi @evelenke,
as you said, IP or hostname could be not useful if you can receive from a server both by Universal Forwarder or syslog.
You can easily identify syslogs (TCP:514 or UDP:514) and DB-Connect (db...), the others are different but they always come from Universal Forwarder.
Another way to identify sources from Universal Forwarders is that you surely have also logs from these servers in _internal.
Ciao.
Giuseppe
source
or sourcetype
should be the differentiators.
Is this not sufficent for your needs?
May be custom
Can you provide some examples?
You can set index, source and sourcetype in inputs.conf on UF or DB Connect.
In this case you may\should have a big knowledge base and control everything.
I need something more simplistic like IP addresses or actual hostname of a source where logs were delivered from, is there's any option to track this?