- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
masterpiece
Engager
07-06-2016
12:48 PM
How can I index logs from different source types in the same index?
Let's say Network ABC is having one AD and one Firewall. Now I want to create an index ABC and want to index logs from both different hosts in ABC instead of two different indexesfor each host.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
07-06-2016
01:07 PM
That's the idea - to have an index with multiple sourcetypes ; -)
A bit more complex situation ...
For example -
[monitor:///var/log/app/\w+.log*]
sourcetype = log4j
index = main
[monitor:///var/log/app/\w+-(web|req).log*]
sourcetype = access_common
index = main
[monitor:///var/log/app/\w+-billing.log*]
sourcetype = custom_billing
index = billing
It's from how to assign index and sourcetype to multiple different file types that live in the same directory
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
07-06-2016
01:07 PM
That's the idea - to have an index with multiple sourcetypes ; -)
A bit more complex situation ...
For example -
[monitor:///var/log/app/\w+.log*]
sourcetype = log4j
index = main
[monitor:///var/log/app/\w+-(web|req).log*]
sourcetype = access_common
index = main
[monitor:///var/log/app/\w+-billing.log*]
sourcetype = custom_billing
index = billing
It's from how to assign index and sourcetype to multiple different file types that live in the same directory
