 
					
				
		
Hello Splunkers,
I am forwarding logs from Universal Forwarder, to a Search Peer (Standalone Inderxer) and doing the search from a standalone Search Head. I have done as far from my understanding. How can I see access.log and secure.log from host www1 -www9.
Below is the inputs.conf of my UF: (log path:- /opt/logs/www1 - www9)
[default]
host = UF-01-248
[monitor:///opt/log/www*/secure.log]
disabled = 0
host_segment = 5
sourcetype = secure.log
index = main
[monitor:///opt/log/www*/access.log]
disabled = 0
host_segment = 9
sourcetype = access.log
index = web
 
		
		
		
		
		
	
			
		
		
			
					
		You can use the host_segment attribute to choose any segment of the monitored path to be the host value. For example, a host_segment=3 setting should pick up the "www*" value from your above monitored path. Also, you can use regular expression with the host_regex attribute for more advanced ways to dynamically set the host value.
Here is the documentation and examples on how to dynamically setup the host value.
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Setadefaulthostforaninput#Dynamically_set_th...
Try this:
[monitor:///opt/log/www*/secure.log]
 disabled = 0
 host_segment = 3
 sourcetype = secure.log
 index = main
[monitor:///opt/log/www*/access.log]
 disabled = 0
 host_segment = 3
 sourcetype = access.log
 index = web
Let me know if that doesn't work.
 
					
				
		
 
					
				
		
Hi Pankaj,
I followed this method to remove the events and reindex the same logs.
[monitor:///opt/log/www*/secure.log]
disabled = 0
host_segment = 3
sourcetype = secure.log
index = main
[monitor:///opt/log/www*/access.log]
disabled = 0
host_segment = 3
sourcetype = access.log
index = web
 
					
				
		
Sorry, I tried it earlier but didn't work.
I tried this in my environment and its working perfectly
[monitor:///opt/log/www*/access.log]
index = web
host_segment = 3
[monitor:///opt/log/www*/secure.log]
host_segment = 3
Can you clear the fishbucket and try indexing the data again?
Thanks,
Pankaj
 
		
		
		
		
		
	
			
		
		
			
					
		You can use the host_segment attribute to choose any segment of the monitored path to be the host value. For example, a host_segment=3 setting should pick up the "www*" value from your above monitored path. Also, you can use regular expression with the host_regex attribute for more advanced ways to dynamically set the host value.
Here is the documentation and examples on how to dynamically setup the host value.
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Setadefaulthostforaninput#Dynamically_set_th...
 
					
				
		
During search when I putting index=web, it shows all individual host for access.log. But from Welcome screen, I can not see sourcetype as access.log.
 
					
				
		
Thanks for the update, but I achieved 50% as per my requirement. As I would like to send this access.log into index = web.
Below changes, will work ?
[monitor:///opt/log/]
disabled = 0
host_segment = 3
[monitor:///opt/log/]
disabled = 0
host_segment = 3
sourcetype = access.log
index = web
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Yes they will.
 
					
				
		
Try setting host_segment (which is basically on what level the host is available in file path/source) to 3 for both. Seems like 3rd portion of the path is what you want as host.
In /opt/log/www*/ : opt-1st, log-2nd, www*-3rd
 
					
				
		
Thanks for reviewing my post. You mean to say like below,
[default]
 host = UF-01-248
[monitor:///opt/log/www*/secure*]
 disabled = 0
 host_segment = 5
 sourcetype = secure.log
 index = main
[monitor:///opt/log/www*/access*]
 disabled = 0
 host_segment = 9
 sourcetype = access.log
 index = web
My requirement is to see www1, www2 etc as individual host from Search Head with individual access.log or secure.log
