Hello Splunkers,
I am forwarding logs from Universal Forwarder, to a Search Peer (Standalone Inderxer) and doing the search from a standalone Search Head. I have done as far from my understanding. How can I see access.log and secure.log from host www1 -www9.
Below is the inputs.conf of my UF: (log path:- /opt/logs/www1 - www9)
[default]
host = UF-01-248
[monitor:///opt/log/www*/secure.log]
disabled = 0
host_segment = 5
sourcetype = secure.log
index = main
[monitor:///opt/log/www*/access.log]
disabled = 0
host_segment = 9
sourcetype = access.log
index = web
You can use the host_segment
attribute to choose any segment of the monitored path to be the host value. For example, a host_segment=3
setting should pick up the "www*" value from your above monitored path. Also, you can use regular expression with the host_regex
attribute for more advanced ways to dynamically set the host value.
Here is the documentation and examples on how to dynamically setup the host value.
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Setadefaulthostforaninput#Dynamically_set_th...
Try this:
[monitor:///opt/log/www*/secure.log]
disabled = 0
host_segment = 3
sourcetype = secure.log
index = main
[monitor:///opt/log/www*/access.log]
disabled = 0
host_segment = 3
sourcetype = access.log
index = web
Let me know if that doesn't work.
Hi Pankaj,
I followed this method to remove the events and reindex the same logs.
[monitor:///opt/log/www*/secure.log]
disabled = 0
host_segment = 3
sourcetype = secure.log
index = main
[monitor:///opt/log/www*/access.log]
disabled = 0
host_segment = 3
sourcetype = access.log
index = web
Sorry, I tried it earlier but didn't work.
I tried this in my environment and its working perfectly
[monitor:///opt/log/www*/access.log]
index = web
host_segment = 3
[monitor:///opt/log/www*/secure.log]
host_segment = 3
Can you clear the fishbucket and try indexing the data again?
Thanks,
Pankaj
You can use the host_segment
attribute to choose any segment of the monitored path to be the host value. For example, a host_segment=3
setting should pick up the "www*" value from your above monitored path. Also, you can use regular expression with the host_regex
attribute for more advanced ways to dynamically set the host value.
Here is the documentation and examples on how to dynamically setup the host value.
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Setadefaulthostforaninput#Dynamically_set_th...
During search when I putting index=web, it shows all individual host for access.log. But from Welcome screen, I can not see sourcetype as access.log.
Thanks for the update, but I achieved 50% as per my requirement. As I would like to send this access.log into index = web.
Below changes, will work ?
[monitor:///opt/log/]
disabled = 0
host_segment = 3
[monitor:///opt/log/]
disabled = 0
host_segment = 3
sourcetype = access.log
index = web
Yes they will.
Try setting host_segment (which is basically on what level the host is available in file path/source) to 3 for both. Seems like 3rd portion of the path is what you want as host.
In /opt/log/www*/ : opt-1st, log-2nd, www*-3rd
Thanks for reviewing my post. You mean to say like below,
[default]
host = UF-01-248
[monitor:///opt/log/www*/secure*]
disabled = 0
host_segment = 5
sourcetype = secure.log
index = main
[monitor:///opt/log/www*/access*]
disabled = 0
host_segment = 9
sourcetype = access.log
index = web
My requirement is to see www1, www2 etc as individual host from Search Head with individual access.log or secure.log