Solved: How to index logs of different source types in a s...

masterpiece · ‎07-06-2016

How can I index logs from different source types in the same index?
Let's say Network ABC is having one AD and one Firewall. Now I want to create an index ABC and want to index logs from both different hosts in ABC instead of two different indexesfor each host.

ddrillic · ‎07-06-2016

That's the idea - to have an index with multiple sourcetypes ; -)

A bit more complex situation ...

How to index a single data source and apply multiple sourcetypes based on the format of the log line...

For example -

[monitor:///var/log/app/\w+.log*] 
sourcetype = log4j 
index = main

[monitor:///var/log/app/\w+-(web|req).log*]
sourcetype = access_common
index = main

[monitor:///var/log/app/\w+-billing.log*]
sourcetype = custom_billing
index = billing

It's from how to assign index and sourcetype to multiple different file types that live in the same directory

View solution in original post

ddrillic · ‎07-06-2016

That's the idea - to have an index with multiple sourcetypes ; -)

A bit more complex situation ...

How to index a single data source and apply multiple sourcetypes based on the format of the log line...

For example -

[monitor:///var/log/app/\w+.log*] 
sourcetype = log4j 
index = main

[monitor:///var/log/app/\w+-(web|req).log*]
sourcetype = access_common
index = main

[monitor:///var/log/app/\w+-billing.log*]
sourcetype = custom_billing
index = billing

It's from how to assign index and sourcetype to multiple different file types that live in the same directory

How to index logs of different source types in a single index?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!