Getting Data In

How to index logs of different source types in a single index?

masterpiece
Engager

How can I index logs from different source types in the same index?
Let's say Network ABC is having one AD and one Firewall. Now I want to create an index ABC and want to index logs from both different hosts in ABC instead of two different indexesfor each host.

0 Karma
1 Solution

ddrillic
Ultra Champion

That's the idea - to have an index with multiple sourcetypes ; -)

A bit more complex situation ...

How to index a single data source and apply multiple sourcetypes based on the format of the log line...

For example -

[monitor:///var/log/app/\w+.log*] 
sourcetype = log4j 
index = main

[monitor:///var/log/app/\w+-(web|req).log*]
sourcetype = access_common
index = main

[monitor:///var/log/app/\w+-billing.log*]
sourcetype = custom_billing
index = billing

It's from how to assign index and sourcetype to multiple different file types that live in the same directory

View solution in original post

ddrillic
Ultra Champion

That's the idea - to have an index with multiple sourcetypes ; -)

A bit more complex situation ...

How to index a single data source and apply multiple sourcetypes based on the format of the log line...

For example -

[monitor:///var/log/app/\w+.log*] 
sourcetype = log4j 
index = main

[monitor:///var/log/app/\w+-(web|req).log*]
sourcetype = access_common
index = main

[monitor:///var/log/app/\w+-billing.log*]
sourcetype = custom_billing
index = billing

It's from how to assign index and sourcetype to multiple different file types that live in the same directory

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...